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1.  Summary 


In  order  to  make  computing  on  encrypted  data  more  practical  to  use  and  more 
secure  from  attack,  it  is  necessary  to  discover,  develop,  and  understand  the  mathe¬ 
matics  on  which  it  is  based  and  the  mathematics  that  can  be  used  to  attack  it.  The 
security  of  homomorphic  encryption  schemes  is  based  on  the  presumed  difficulty  of 
mathematics  problems  about  lattices.  Discovering  and  fully  exploring  algorithms  to 
solve  these  mathematical  problems  allow  computing  on  encrypted  data  to  be  per¬ 
formed  with  confidence,  knowing  that  its  cryptographic  security  is  based  on  sound 
mathematical  foundations. 

Hendrik  Lenstra  and  Alice  Silverberg  discovered  and  developed  algorithms  to  solve 
some  lattices  problems  under  suitable  conditions,  and  investigated  the  mathemati¬ 
cal  foundations  of  these  algorithms.  A  primary  method  of  attack  on  homomorphic 
encryption  schemes  consists  of  lattice  algorithms  performed  on  ideal  lattices,  which 
are  lattices  with  a  certain  type  of  algebraic  structure.  Any  structure  or  symmetry  is 
potentially  susceptible  to  exploitation  and  attack.  The  work  performed  here  gives  al¬ 
gorithms  for  lattice  problems  for  lattices  that  have  symmetry.  Recommendations  are 
that  the  mathematical  foundations  of  lattices  with  symmetry  be  further  developed, 
in  order  to  quantify  the  security  of  lattice-based  cryptography,  including  especially 
the  security  of  homomorphic  encryption  schemes. 
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2.  Introduction 


In  encryption  schemes,  one  party  encrypts  a  plaintext  message  to  obtain  a  cipher- 
text.  The  other  party  decrypts  the  ciphertext  to  recover  the  plaintext.  In  Fully 
Homomorphic  Encryption  (FHE),  parties  that  do  not  know  the  plaintext  data  can 
perform  computations  on  it  by  performing  computations  on  the  corresponding  cipher- 
texts. 

The  security  of  essentially  all  currently  known  FHE  schemes  is  based  on  the  pre¬ 
sumed  difficulty  of  some  lattice  problem,  such  as  finding  an  approximately  shortest 
(non-zero)  vector  in  a  high  dimensional  lattice.  The  primary  known  attacks  on  FHE 
schemes  are  variants  of  the  LLL  lattice  basis  reduction  algorithm  [7],  originally  due 
to  Lenstra,  Lenstra,  and  Lovasz. 

A  number  of  Fully  Homomorphic  Encryption  schemes  use  ideal  lattices  rather  than 
arbitrary  lattices,  including  Gentry’s  first  FHE  scheme  [3].  Fully  Homomorphic  En¬ 
cryption  is  performed  more  efficiently  with  ideal  lattices  than  with  general  lattices. 
However,  ideal  lattices  are  very  special  lattices,  with  much  structure  (“symmetries”) 
that  has  the  potential  to  be  exploited,  and  it  might  turn  out  to  be  the  case  that 
lattice  attacks  are  easier  for  ideal  lattices  than  for  generic  lattices. 

In  §7  of  [5],  Gentry  and  Szycllo  introduced  some  powerful  new  ideas  that  combined 
in  a  clever  way  lattice  basis  reduction  and  number  theory.  They  used  these  ideas  to 
cryptanalyze  NTRU  (NTRUEncrypt  Public  Key  Cryptosystem)  Signatures.  The  recent 
interest  in  Fully  Homomorphic  Encryption  and  in  the  candidate  multilinear  maps  of 
Garg-Gentry-Halevi  [2]  have  renewed  the  interest  in  the  Gentry-Szydlo  results  from  [5], 

In  his  PhD  thesis  [4],  Gentry  mentions  that  the  Gentry-Szydlo  attack  on  NTRU  signatures 
can  be  used  to  attack  principal  ideal  lattices  in  the  ring  Z[X] / ( Xn  —  1),  if  the  lattice  has 
an  orthonormal  basis. 

The  algorithm  of  Gentry  and  Szycllo  can  be  viewed  as  a  way  to  find  an  orthonor¬ 
mal  basis  (if  one  exists)  for  an  ideal  lattice.  Determining  whether  a  lattice  has  an 
orthonormal  basis  is  in  general  a  difficult  algorithmic  problem.  The  main  results  re¬ 
ported  here  show  that  this  problem  is  easier  when  the  lattice  has  many  symmetries. 
We  also  put  the  Gentry-Szydlo  algorithm  into  a  mathematical  framework,  and  show 
that  it  is  part  of  a  general  theory  of  “lattices  with  symmetry” .  This  sheds  new  light 
on  the  Gentry-Szydlo  algorithm,  and  the  ideas  should  be  applicable  to  a  range  of 
questions  in  cryptography. 

The  new  algorithm  of  Lenstra  and  Silverberg  runs  in  deterministic  polynomial  time, 

whereas  the  Gentry-Szydlo  algorithm  in  §7  of  [5]  was  based  on  heuristic  assumptions. 
Also,  the  Lenstra-Silverberg  setting  is  more  general  (it  applies  to  arbitrary  finite 
abelian  groups,  whereas  [5]  considered  only  cyclic  groups  of  odd  prime  order),  thereby 
covering  other  cases  of  potential  cryptographic  interest. 

The  main  results  are  joint  work  with  Hendrik  Lenstra  [9,  10,  11,  12]  (see  appen¬ 
dix).  In  [13]  we  give  an  exposition  of  FHE  for  a  mathematical  audience  (see  appen¬ 
dix),  which  gives  some  useful  background.  See  [1]  for  mathematical  background  in 
commutative  algebra. 
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3.  Methods,  Assumptions,  and  Procedures 

The  techniques  involve  algorithmic  algebraic  number  theory,  analytic  number  the¬ 
ory,  commutative  algebra,  and  lattice  basis  reduction.  Let  Z  denote  the  ring  of 
integers.  Let  Z[X\  denote  the  ring  of  polynomials  in  one  variable  X  with  integer 
coefficients. 


3.1.  The  Gentry-Szydlo  Algorithm.  The  Gentry-Szydlo  algorithm  in  §7  of  [5] 

fords  a  generator  v  of  a  principal  ideal  in  the  quotient  ring  Z\X\j{Xn  —  1),  given  vv 
and  a  Z-basis  for  the  ideal.  Here,  n  is  an  odd  prime  number,  and  for 

v  —  do  T  o,\X  +  . . .  +  an_iA  " 


its  “reversal”  is  defined  to  be 

V  =  do  T  On— lX  +  . . .  +  axXn  1. 

The  information  vv  is  the  crucial  “hint”  that  gives  enough  structure  (i.e.,  “symme¬ 
try”)  to  recover  the  generator  v  of  the  principal  ideal. 

A  brief  sketch  of  the  Gentry-Szydlo  algorithm  in  §7  of  [5]  is  the  following: 

(i)  Choose  auxiliary  large  prime  numbers  P ,  P'  such  that 

gcd(P  —  1,  P'  —  1)  =  2 n. 

(ii)  Use  polynomial  chains  and  the  LLL  algorithm  [7]  to  compute  np_1  and  np,_1 
modulo  other  auxiliary  prime  numbers. 

(iii)  Use  the  Euclidean  algorithm  to  compute  v2n. 

(iv)  Recover  v. 

In  §7  of  [5],  taking  powers  of  an  ideal  in  the  ring  R  =  Z\X\j{Xn  —  1)  required 
complicated  bookkeeping,  via  polynomial  chains  and  lattice  basis  reduction  to  avoid 
coefficient  blow-up.  When  one  multiplies  ideals,  coefficients  (with  respect  to  any  Z- 
basis)  grow  quickly,  because  of  the  way  the  ideals  are  embedded  in  the  ring.  Where 
Gentry-Szydlo  use  the  ideal  structure  of  ideal  lattices,  Lenstra  and  Silverberg  [9,  11] 
do  away  with  this,  by  using  only  the  module  structure  of  the  ideal,  rather  than  its 
ideal  structure.  More  precisely,  an  ideal  in  a  commutative  ring  R  is  the  same  as  an  R- 
module  M  along  with  an  embedding  M  R  of  A- modules.  While  Gentry  and  Szycllo 
use  the  embedding,  Lenstra  and  Silverberg  observe  that  one  can  avoid  coefficient 
blow-up  by  using  the  module  structure  of  M  but  not  the  actual  embedding.  Lenstra 
and  Silverberg  also  replace  ideal  multiplication  with  tensor  products  of  lattices.  By 
tensoring  abstract  modules  rather  than  multiplying  ideals,  we  avoid  the  need  to  keep 
track  of  embeddings  into  the  ring  and  large  coefficients.  We  introduce  a  graded  tensor 
algebra  that  replaces  Gentry’s  and  Szydlo’s  polynomial  chains. 

More  specifically,  where  Gentry  and  Szycllo  use  polynomial  chains: 


kr—  l  2— 


kr—2 .  ,2— 


,  V*°v2_ tvr 


and  v0v0  ,  v&i  , 
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in  the  new  papers  [9,  11]  a  graded  tensor  algebra  is  used  instead: 

. . .  ©  L02  ©  L  ©  L°  ©  L  ©  L®2  ©  L®3  ©  . . . 

where  L  is  the  ideal  lattice,  and  L  and  L°  are  suitably  defined  (below). 

In  addition,  where  Gentry  and  Szycllo  [5]  use  auxiliary  large  prime  numbers  P  and 
P',  Lenstra  and  Silverberg  [9,  11]  use  auxiliary  large  prime  powers.  An  analytic  num¬ 
ber  theory  result  then  allows  us  to  replace  the  heuristic  polynomial-time  algorithm 
in  [5]  with  a  more  efficient  provably  deterministic  polynomial  time-algorithm. 

3.2.  Lattices.  See  [8]  for  background  on  lattices. 

Definition  1.  A  lattice  is  a  finitely  generated  abelian  group  L  with  a  map 

L  x  L  — >  Z,  (x,y)t->(x,y) 

that  is 

•  bilinear,  i.e., 

(x,y  +  z)  =  (x,y)  +  (x,z) 

and 

(x  +  y,z)  =  (x,z)  +  { y,z ) 

for  all  x,y,z  G  L, 

•  symmetric,  i.e., 

(x,y)  =  (y,x) 

for  all  x,y  G  L ,  and 

•  positive  definite,  i.e., 

(x,  x)  >  0 

if  0  /iGh 

Example  2.  The  standard  lattice  of  rank  n  is  Zn  with  inner  product  (x,y)  = 

En 

*=i  pyt- 

Definition  3.  An  isomorphism  of  lattices  L  and  M  is  a  group  isomorphism 

(p  \  L  — ^  Ad 

that  respects  the  lattice  structures,  i.e., 

(ip(x),ip(y))  =  (x,y) 

for  all  x,y  G  L.  If  such  a  map  ip  exists,  then  L  and  Ad  are  isomorphic  lattices. 
An  automorphism  of  a  lattice  L  is  an  isomorphism  from  L  to  itself.  The  set  of 
automorphisms  of  L  is  a  finite  group  Aut(L)  that  contains  —1. 

For  a  lattice,  having  an  orthonormal  basis  is  the  same  as  being  isomorphic  to  the 
standard  lattice  of  the  same  rank. 
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3.3.  G-lattices.  Fix  a  finite  abelian  group  G  and  an  element  u  in  G  of  order  2. 

Definition  4.  A  G-lattice  is  a  lattice  with  a  G-action,  with  u  acting  as  —1.  In  other 
words,  a  G-lattice  is  a  lattice  L  with  a  group  homomorphism 

/  :  G  ->•  Aut(L) 

such  that 

/(«)  =  — L 

For  a  G  G  and  a;  G  L  let 

o-a;  =  f(a)(x). 

Definition  5.  If  L  and  M  are  G-lattices,  then  a  G-isomorphism  is  an  isomorphism 
\  L  M  of  lattices  that  respects  the  G-actions,  i.e., 

(p(ax)  =  aip(x) 

for  all  x  G  L  and  a  G  G. 


Let 


Z[G]  :=  Oo-a  :  aCT  G  Z}. 

crSG 


Definition  6.  The  standard  G-lattice  Z(G)  is  Z[G]/(w  +  1)  with  lattice  structure 
defined  by 

(x,y)  =  t(xy), 


where 


and 


aCT(T  :=  ao-a  1 
o-eG  o-eG 

aCTcr)  :=  aq  —  au  G  Z. 

ireG 


Let 


Then  Z(G)  is  a  G-lattice  of  rank  n.  As  lattices,  Z(G)  is  isomorphic  to  Zra.  Further, 

Z(G)  =  :  aCT  G  Z} 

ctGlS 


where  A  is  a  set  of  coset  representatives  of  the  quotient  group  G/(u )  (i.e.,  #S  =  n 
and  G  is  the  disjoint  union  of  S  and  uS ). 

Example  7.  If  G  =  (u)  x  Z/nZ,  then 

Z(G)  =  Z[Z/nZ]  =  Z[X\/(Xn  -  1). 

Example  8.  If  G  is  cyclic,  then 


Z(G)  =Z[X]/(Xn  +  l). 
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Example  9.  If  G  is  cyclic  of  order  2r,  and  Qp  is  a  primitive  2r-th  root  of  unity,  then 

Z(G>  =  Z[(2r\. 

Definition  10.  A  G-lattice  L  is  invertible  if  L  is  a  unimodular  lattice  and  there  is  a 
Z(G)-module  M  such  that  L  <8)z(g>  M  and  Z (G)  are  isomorphic  as  Z(G)-modules. 

Definition  11.  If  L  is  a  G-lattice,  then  the  G-lattice  L  is  a  lattice  equipped  with  a 
lattice  isomorphism  L  L,  x  i->  x  and  a  group  homomorphism  G  — >•  Aut(L)  defined 

by  _ 

ax  =  a~lx 

for  all  (tgG  and  x  E  L. 

3.4.  Auxiliary  prime  powers. 

Definition  12.  The  exponent  of  a  group  H  is  the  least  positive  integer  k  such  that 
ak  =  1  for  all  a  G  H. 

The  exponent  of  a  group  H  divides  the  order  \H\  of  H  and  has  the  same  prime 
factors  as  \H\. 

Definition  13.  Let  k  be  the  exponent  of  the  group  G  and  let  k(m)  be  the  exponent 
of  the  group  (Z (G)/(m))*. 

We  replace  the  Gentry-Szydlo  auxiliary  prime  numbers  P  and  P'  such  that 

gcd(P  —  1,  P'  —  1)  =  2  n 
with  auxiliary  prime  powers  l  and  m  such  that 

gcd(/c(£),  k(m))  =  k. 

While  the  Gentry-Szydlo  prime  numbers  P  and  P'  are  found  with  at  best  a  prob¬ 
abilistic  algorithm,  the  prime  powers  t  and  m  used  in  [9,  11]  can  be  found  with  a 
deterministic  algorithm  that  runs  in  polynomial  time,  thanks  to  a  result  from  analytic 
number  theory: 

Theorem  14  (Heath- Brown  [6]).  There  is  an  effective  positive  constant  c  such  that  if 
a  and  t  are  relatively  prime  positive  integers,  then  the  smallest  prime  number  p  such 
that  p  =  a  mod  t  is  at  most  ct5'5. 

The  ring  elements  that  Gentry  and  Szydlo  work  with  were  required  to  not  be  zero 
divisors  modulo  P ,  P' ,  and  other  auxiliary  prime  numbers.  We  require  no  analogous 
condition  on  t  and  m. 

Along  the  way  towards  formulating  and  proving  our  main  algorithms,  we  prove  and 
use: 

Theorem  15.  If  L  is  an  invertible  G -lattice,  then  the  map 

{G -isomorphisms  Z (G)  — »  L}  — »  {  vectors  of  L  of  length  1} 
that  sends  f  to  /( 1)  is  bijective. 
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4.  Results  and  Discussion 


For  large  ranks,  there  is  no  good  algorithm  that  decides  whether  a  given  lattice 
has  an  orthonormal  basis  (i.e.,  is  isomorphic  to  a  standard  lattice  Zn).  Lenstra  and 
Silverberg  construct  a  provably  deterministic  polynomial-time  algorithm  that  decides 
whether  a  given  lattice  with  sufficiently  many  symmetries  has  an  orthonormal  basis, 
and  finds  one  if  it  does.  It  is  based  on  the  algorithm  of  Gentry  and  Szydlo  in  §7  of 

[51- 

More  precisely,  we  give  a  deterministic  polynomial  time  algorithm  that  decides 
whether  a  G- lattice  is  G-isomorphic  to  the  standard  G-lattice  Z(G),  and  if  it  is, 
exhibits  such  an  isomorphism. 

Theorem  16  (Lenstra  and  Silverberg,  [9,  11]).  There  is  a  deterministic  polynomial 
time  algorithm  that,  given  a  finite  abelian  group  G,  an  element  u  in  G  of  order  2, 
and  a  G-lattice  L,  decides  whether  L  and  Z(G)  are  G-isomorphic,  and  if  they  are, 
exhibits  a  G -isomorphism. 

Recall  the  definitions  of  the  exponents  k  and  k{m )  from  Definition  13. 

Here  is  a  sketch  of  the  main  algorithm: 

(i)  Check  whether  L  is  invertible. 

(ii)  Produce  large  prime  powers  i  and  m  such  that  gcd (k(£),  kfm ))  =  k. 

(iii)  Compute  e^m  G  L  that  generates  L/kmL  as  a  Z(G)/(£m)-modulc. 

(iv)  Find  a  vector  of  length  1  in  L®k<<m\  if  one  exists. 

(v)  Find  a  vector  of  length  1  in  L®k,  if  one  exists. 

(vi)  Find  a  vector  e  of  length  1  in  L ,  if  one  exists. 

(vii)  The  desired  isomorphism  Z(G)  A-  L  is  x  K >  xe. 

Since  one  can  get  an  orthonormal  basis  for  the  standard  G-lattice  from  half  the 
group  elements,  it  follows  that  the  algorithm  decides  whether  a  G-lattice  has  an 
orthonormal  basis,  and  finds  one  if  it  does. 

Even  more,  we  can  determine  whether  two  invertible  G-lattices  are  G-isomorphic, 
and  if  they  are,  find  such  an  isomorphism,  as  in  the  following  result. 

Corollary  17  (Lenstra  and  Silverberg,  [11]).  There  is  a  deterministic  polynomial 

time  algorithm  that,  given  a  finite  abelian  group  G,  an  element  u  in  G  of  order  2, 

and  two  invertible  G-lattices  L  and  M ,  determines  whether  there  is  a  G-isomorphism 
M  L,  and  if  so,  computes  one. 

We  next  explain  how  to  recover  the  Gentry-Szydlo  algorithm  in  §7  of  [5]  from  the 
above  algorithm.  Recall  that  the  Gentry-Szydlo  algorithm  finds  a  generator  v  of  a 
principal  ideal  I  of  Z[X]/(Xn  —  1)  (with  n  an  odd  prime  number),  given  vv  and  a 
Z-basis  for  I.  Let  G  be  a  cyclic  group  of  order  2 n.  Then  Z(G)  =  Z,[X\/(Xn  —  1). 
Make  /  into  a  G-lattice  with  lattice  structure  defined  by 

(x,y)  =  t(xy/vv). 
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The  above  algorithm  produces  a  G-isomorphism 

ip  :  Z  (G)  ^  I 

in  polynomial  time,  and  thus  gives  a  generator  v  —  tp(  1)  of  the  ideal  /  in  polynomial 
time. 

On  the  way,  we  give  in  [10]  a  deterministic  polynomial-time  algorithm  that  deter¬ 
mines  whether  a  finite  module  over  a  finite  commutative  ring  is  cyclic,  and  if  it  is, 
outputs  a  generator. 

Definition  18.  If  R  is  a  commutative  ring,  then  an  A-module  M  is  cyclic  if  there 
exists  y  e  M  such  that  M  =  Ry. 

Theorem  19.  There  is  a  deterministic  polynomial-time  algorithm  that,  given  a  finite 
commutative  ring  R  and  a  finite  R-module  M ,  decides  whether  there  exists  y  e  M 
such  that  M  =  Ry,  and  if  there  is,  finds  such  a  y. 

We  also  give  [12]  a  deterministic  polynomial-time  algorithm  that,  given  an  order, 
determines  a  set  of  generators  for  the  group  of  roots  of  unity  in  the  order. 

Definition  20.  An  order  is  a  commutative  ring  A  whose  additive  group  is  isomorphic 
to  Z"  for  some  non-negative  integer  n. 

Definition  21.  If  R  is  a  commutative  ring,  then  we  write 

y(R)  =  {z  G  R  :  zr  =  1  for  some  positive  integer  r}, 

the  group  of  roots  of  unity  in  R. 

The  group  y(R)  is  a  subgroup  of  the  group  R*  of  invertible  elements  of  R. 

Theorem  22.  There  is  a  deterministic  polynomial-time  algorithm  that,  given  an 
order  A,  produces  a  set  of  generators  S  of  y(A),  as  well  as  a  set  of  defining  relations 
forS. 
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5.  Conclusions 


We  give  a  deterministic  polynomial-time  algorithm  that  decides  whether  a  lattice 
with  enough  symmetry  has  an  orthonormal  basis,  and  finds  one  if  it  does.  More  pre¬ 
cisely,  we  give  a  deterministic  polynomial-time  algorithm  that,  given  a  finite  abelian 
group  G,  an  element  u  in  G  of  order  2,  and  a  G-lattice  L,  decides  whether  L  and 
Z (G)  are  G- isomorphic,  and  if  they  are,  exhibits  a  G-isomorphism.  We  also  give  a 
deterministic  polynomial  time  algorithm  that,  given  a  finite  abelian  group  G,  an  cle¬ 
ment  u  in  G  of  order  2,  and  two  invertible  G-lattices  L  and  M,  determines  whether 
there  is  a  G-isomorphism  M  L,  and  if  so,  computes  one. 

These  results  generalize  the  algorithm  in  §7  of  the  paper  [5]  of  Gentry  and  Szydlo. 
Our  algorithms  are  deterministic  algorithms  that  run  in  (provably)  polynomial  time, 
whereas  the  Gentry-Szydlo  algorithm  was  based  on  heuristic  assumptions.  The  new 
mathematics  that  we  developed  sheds  light  on  what  the  Gentry-Szydlo  algorithm 
does  and  why  it  works.  Our  setting  is  more  general,  covering  more  cases  of  potential 
cryptographic  interest.  We  remark  that  the  Gentry-Szydlo  and  Lenstra-Silverberg 
algorithms  are  not  known  to  weaken  the  security  of  cryptosystems  whose  security  is 
based  on  the  presumed  difficulty  of  the  Ring-LWE  Problem. 
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6.  Recommendations 


In  order  to  give  convincing  evidence  that  methods  for  computing  on  encrypted  data 
are  cryptographically  secure,  it  is  important  to  discover,  develop,  and  understand  the 
mathematical  foundations  on  which  these  methods  rely.  This  will  enable  the  con¬ 
struction  of  more  efficient  and  secure  systems,  and  will  give  reliable  information  and 
confidence  as  to  which  systems  are  secure.  Recent  proposals  for  secure  computing  on 
encrypted  data  make  use  of  lattices  that  have  some  symmetry.  Therefore,  the  primary 
recommendation  is  that  the  mathematical  foundations  of  lattices  with  symmetry  be 
discovered  and  developed.  An  additional  recommendation  is  that  the  security  of 
homomorphic  encryption  schemes  based  on  ideal  lattices  be  quantified,  in  order  to 
give  confidence  in  the  security  of  such  schemes  and  in  order  to  be  able  to  effectively 
compare  different  schemes. 
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Z[A]  the  set  of  polynomials  in  one  variable  X  with  integer  coefficients 
\G\  the  number  of  elements  in  a  set  G 
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Fully  Homomorphic  Encryption  for 
Mathematicians 

Alice  Silverberg 


Abstract.  We  give  an  introduction  to  Fully  Homomorphic  Encryption  for  math¬ 
ematicians.  Fully  Homomorphic  Encryption  allows  untrusted  parties  to  take  en¬ 
crypted  data  Enc(mi), . . . ,  Enc(mt)  and  any  efficiently  computable  function  /,  and 
compute  an  encryption  of  /(mi, . . . , rrit),  without  knowing  or  learning  the  decryp¬ 
tion  key  or  the  raw  data  mi , . . . ,  mt .  The  problem  of  how  to  do  this  was  recently 
solved  by  Craig  Gentry,  using  ideas  from  algebraic  number  theory  and  the  geom¬ 
etry  of  numbers.  In  this  paper  we  discuss  some  of  the  history  and  background, 
give  examples  of  Fully  Homomorphic  Encryption  schemes,  and  discuss  the  hard 
mathematical  problems  on  which  the  cryptographic  security  is  based. 


1.  Introduction 

Fully  Homomorphic  Encryption  (FHE)  has  been  referred  to  as  a  “holy  grail” 
of  cryptography.  Craig  Gentry’s  recent  solution  to  the  problem,  while  not  efficient 
enough  to  be  practical,  was  considered  to  be  a  major  breakthrough.  Since  then, 
much  progress  has  been  made  in  the  direction  of  hireling  efficient  Fully  Homomorphic 
Encryption  schemes. 

In  this  paper  we  will  give  a  brief  introduction  to  FHE  for  mathematicians.  We 
will  give  some  of  the  history  and  major  ideas,  we  will  present  some  examples  of  FHE 
schemes,  and  we  will  mention  a  variety  of  security  assumptions  on  which  FHE  schemes 
have  been  based.  The  intended  audience  is  mathematicians  at  the  graduate  level  or 
beyond  (especially  number  theorists)  who  do  not  necessarily  have  any  background  in 

This  material  is  based  on  research  sponsored  by  DARPA  under  agreement  numbers  FA8750- 
11-1-0248  and  FA8750-13- 2-0054.  The  U.S.  Government  is  authorized  to  reproduce  and  distribute 
reprints  for  Governmental  purposes  notwithstanding  any  copyright  notation  thereon.  The  views  and 
conclusions  contained  herein  are  those  of  the  author  and  should  not  be  interpreted  as  necessarily 
representing  the  official  policies  or  endorsements,  either  expressed  or  implied,  of  DARPA  or  the  U.S. 
Government. 

The  work  was  also  supported  by  the  National  Science  Foundation  under  grant  CNS-0831004. 
Thanks  go  to  Hendrik  Lenstra  for  helpful  conversations  about  Fully  Homomorphic  Encryption,  and 
to  Lily  Khadjavi,  Zvika  Brakerski,  Chris  Peikert,  and  Steven  Galbraith  for  very  helpful  comments 
on  earlier  versions  of  the  paper. 
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cryptography.  The  paper  is  mostly  a  survey,  though  §4.3  gives  a  number  theory  proof 
that  does  not  seem  to  be  in  the  cryptography  literature. 

In  encryption  schemes,  Bob  encrypts  a  plaintext  message  to  obtain  a  ciphertext. 
Alice  decrypts  the  ciphertext  to  recover  the  plaintext.  In  Fully  Homomorphic  En¬ 
cryption,  parties  that  do  not  know  the  plaintext  data  can  perform  computations  on 
it  by  performing  computations  on  the  corresponding  ciphertexts. 

A  major  application  of  FHE  is  to  clond  computing.  Alice  can  store  her  data  in 
“the  cloud”,  for  example,  on  remote  servers  that  she  accesses  via  the  Internet.  The 
clond  has  more  storage  capabilities  and  computing  power  than  does  Alice,  so  when 
Alice  needs  computations  to  be  done  on  her  data,  she  would  like  those  computations 
to  be  done  by  the  cloud.  However,  Alice  doesn’t  trust  the  cloud.  Her  data  might 
be  sensitive  (for  example,  Alice  might  be  a  hospital  and  the  data  might  be  patients’ 
medical  records),  and  Alice  would  like  the  cloud  to  know  as  little  as  possible  about 
her  data,  and  about  the  results  of  the  computations.  So  Alice  sends  encrypted  data  to 
the  cloud,  which  can  perform  arithmetic  operations  on  it  without  learning  anything 
about  the  original  raw  data,  by  performing  operations  on  the  encrypted  data. 

Fully  Homomorphic  Encryption  can  be  used  to  query  a  search  engine,  without 
revealing  what  is  being  searched  for  (here,  the  search  engine  is  doing  the  computations 
on  encryptions  of  information  that  it  doesn’t  know). 

More  precisely,  FHE  has  the  following  property  (in  its  simplest  form).  Say  that 
ciphertexts  ct  decrypt  to  plaintexts  m*,  i.e.,  Decrypt(cj)  =  m*,  where  the  m,’s  and 
Ci  s  are  elements  of  some  ring  (with  two  operations,  addition  and  multiplication).  In 
FHE  one  has 

Decrypt(ci  +  c2)  =  mi  +  m2,  Decrypt(ci  •  c2)  =  rn i  •  m2. 

In  other  words,  decryption  is  doubly  homomorphic,  i.e.,  homomorphic  with  respect 
to  the  two  operations  addition  and  multiplication. 

Being  fully  homomorphic  means  that  whenever  /  is  a  function  composed  of 
(finitely  many)  additions  and  multiplications  in  the  ring,  then 

Decrypt  (/(ci, . . . ,  ct))  =  /(mi,  ...,mt). 

If  the  cloud  (or  an  adversary)  can  efficiently  compute  f(c\, ... ,ct )  from  ciphertexts 
C\, ...  ,Ct,  without  learning  any  information  about  the  corresponding  plaintexts  rn  1 ,  • . . ,  mt , 
then  the  system  is  efficient  and  secure. 

Another  requirement  for  FHE  is  that  the  ciphertext  sizes  remain  bounded,  inde¬ 
pendent  of  the  function  /;  this  is  known  as  the  “compact  ciphertexts”  requirement. 

(Depending  on  the  FHE  system,  the  messages  and  ciphertexts  could  in  fact  lie  in 
different  rings,  and  multiplication  might  be  accomplished  using  a  tensoring  operation, 
as  in  [Br] .) 

Fully  Homomorphic  Encryption  schemes  can  be  either  public  key  (where  the  en- 
cryptor  knows  the  decryptor’s  public  key  but  not  her  private  key)  or  symmetric  key 
(where  the  encryptor  and  decryptor  share  a  key  that  is  used  for  both  encryption  and 
decryption). 
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In  Section  2  we  briefly  give  some  history  and  background.  In  Sections  3,  4,  and 
5  we  give  some  (somewhat)  homomorphic  encryption  schemes,  to  illustrate  a  variety 
of  techniques  and  security  assumptions. 

See  [V 2]  for  an  excellent  recent  survey  article.  See  also  [H]  for  a  good  explanation 
of  FHE  for  a  general  audience. 

As  usual,  Z,  Q,  M,  and  C  denote  the  integers,  rational  numbers,  real  numbers, 
and  complex  numbers,  respectively,  and  ¥q  denotes  the  finite  field  with  q  elements. 

2.  Some  history  and  background 

2.1.  Early  history.  In  1978,  shortly  after  the  invention  of  the  RSA  cryptosys¬ 
tem,  Rivest,  Adleman,  and  Dertouzos  [RAD]  came  up  with  the  idea  of  fully  homo¬ 
morphic  encryption,  which  they  called  “privacy  homomorphisms” .  Their  paper  states, 
“although  there  are  some  truly  inherent  limitations  on  what  can  be  accomplished,  we 
shall  see  that  it  appears  likely  that  there  exist  encryption  functions  which  permit 
encrypted  data  to  be  operated  on  without  preliminary  decryption  of  the  operands, 
for  many  sets  of  interesting  operations.  These  special  encryption  functions  we  call 
‘privacy  homomorphisms’;  they  form  an  interesting  subset  of  arbitrary  encryption 
schemes”.  Despite  the  optimism  of  Rivest,  Adleman,  and  Dertouzos,  fully  homomor¬ 
phic  encryption  remained  out  of  reach  for  many  years. 

A  number  of  cryptosystems  are  homomorphic  with  respect  to  one  operation.  For 
example,  RSA  and  ElGamal  encryption  are  homomorphic  with  respect  to  multiplica¬ 
tion. 

We  recall  that  in  (basic1)  RSA,  Alice’s  public  key  is  (A,  e)  and  private  key  is  d, 
where  A  is  a  product  of  two  large  primes  and  where  de  =  1  mod  <p(N).  If  m  G  Z/AZ 
is  the  plaintext,  then  the  ciphertext  is  c  =  me  mod  A.  To  decrypt,  Alice  computes 
cd  mod  A  =  m.  If  Bob  encrypts  messages  rn \  and  m2  using  Alice’s  public  key  (A,  e), 
then  the  product  of  the  resulting  ciphertexts  is  the  ciphertext  of  the  product  of  the 
plaintexts  m i  and  m2,  he.,  (m\  mod  N)(m,2  mod  A)  =  (mim2)e  mod  A.  Thus, 
Decrypt (ci  •  c2)  =  Decrypt (ci)  •  Decrypt (c2),  where  c*  =  mod  A  is  the  ciphertext 
corresponding  to  the  plaintext  m, . 

For  ElGamal,  suppose  the  private  key  is  x  G  {1, . . . ,  n  —  1}  and  the  public  key  is 
h  =  gx  G  G,  where  G  is  a  cyclic  group  of  order  n  generated  by  g.  If  mi,m2  G  G  are 
plaintext  messages,  then  the  corresponding  ciphertexts  are  of  the  form  ct  =  ( a;,  )  = 
(gri,mihri)  G  G  x  G  for  i  =  1  and  2,  where  the  rt  are  chosen  by  the  encryptor(s)  at 
random  in  {1, . . . ,  n  —  1}.  Then 

Decrypt  (ci  •  c2)  =  Decrypt(cqa2,  bib2)  =  (( aia2)x)~lbib2 

=  (a*)~1bi  •  (af)-1^  =  Decrypt(ci)  ■  Decrypt(c2). 

There  have  been  other  encryption  schemes  with  homomorphic  properties.  For 
example,  the  Goldwasser-Micali  cryptosystem  [GM]  and  its  generalization  the  Paillier 

1Note  that  “basic”  RSA  and  ElGamal  are  not  considered  secure  for  most  real  world  applications, 
and  must  be  modified  to  be  made  secure. 
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cryptosystem  [Pa]  are  homomorphic  with  respect  to  addition  of  plaintexts  in  the  sense 
that 

Decrypt (ci  •  C2)  =  m\  +  m2, 

but  are  not  homomorphic  with  respect  to  multiplication  of  plaintexts. 

In  [BonGN],  Boneh,  Goh,  and  Nissim  gave  a  partially  homomorphic  encryption 
scheme  that  can  do  one  multiplication  and  any  number  of  additions. 

2.2.  Gentry’s  FHE  scheme  and  beyond.  Craig  Gentry  solved  the  problem  of 
how  to  do  Fully  Homomorphic  Encryption  in  his  Stanford  PhD  thesis  [Gl,  G2,  G3], 
For  the  first  time,  there  was  now  a  scheme  that  could  (inefficiently)  do  an  arbitrary 
number  of  additions  and  multiplications. 

Gentry’s  solution  used  ideal  lattices,  i.e.,  ideals  in  algebraic  number  fields.  Given 
that  one  requires  a  homomorphic  property  with  respect  to  two  operations,  it  is  natural 
that  rings  come  into  play.  In  [Gl]  and  [G2],  the  rings  Gentry  used  were  of  the  form 

R:=Z[x\/(xN  +  1)  and  Rd  :=  {Z/dZ)[x\/ (xN  +  1) 

where  N  =  2n  (see  §4  below).  It  was  later  realized  that  one  can  use  the  rings  Z 
and  Z/dZ  to  construct  schemes  parallel  to  those  that  use  the  rings  R  and  Rd  (see  §3 
below).  Brakerski’s  scheme  in  [Br]  uses  a  tensor  product  operation  on  the  ciphertexts 
rather  than  standard  ring  multiplication. 

There  have  been  a  number  of  improvements,  implementations,  and  new  schemes. 
See  for  example  [SmV,  DGHV,  G4,  SS,  GH1,  LaNV,  GH2,  BV2,  BV1, 
CorMNT,  LMSV,  BrGV,  GHS1,  GHS2,  CorNT],  The  NTRU  encryption 
scheme  [HofPS],  which  was  developed  in  the  late  1990 ’s,  turned  out  to  be  “somewhat 
homomorphic”,  and  has  been  turned  into  an  FHE  scheme  [LTV],  For  some  recent 
(at  the  time  this  article  went  to  press)  FHE  schemes  that  are  much  more  efficient 
than  the  original  ones,  see  [Br,  BosLLN]. 

2.3.  Security.  The  primary  known  attacks  on  FHE  schemes  are  variants  of  the 
LLL  lattice  basis  reduction  algorithm  [LLL],  The  security  of  almost  all  currently 
known  schemes  is  based  on  the  presumed  difficulty  of  some  lattice  problem,  such  as 
finding  an  approximately  shortest  (non-zero)  vector  in  a  high  dimensional  lattice. 

A  number  of  FHE  schemes  use  ideal  lattices  rather  than  arbitrary  lattices.  These 
are  very  special  lattices,  and  it  might  turn  out  to  be  the  case  that  lattice  attacks  are 
easier  for  ideal  lattices  than  for  generic  lattices.  This  is  an  open  question.  At  the 
moment,  special  attacks  that  work  better  for  ideal  lattices  than  for  general  lattices 
are  not  yet  known. 

Some  of  the  recent  FHE  systems  that  are  garnering  a  lot  of  interest  are  secure 
subject  to  the  Ring-LWE  (Learning  With  Errors)  or  decisional  Ring-LWE  Problem 
being  difficult  (see  §5  below). 

Using  ideas  from  [Br],  it  is  shown  in  [BosLLN]  that  the  security  of  fully  homo¬ 
morphic  variants  of  NTRLI-based  schemes  can  be  based  on  the  presumed  difficulty  of 
the  Ring-LWE  Problem. 
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2.4.  Somewhat  Homomorphic  Encryption  (SHE).  Somewhat  Homomor¬ 
phic  Encryption  (SHE)  schemes  are  encryption  schemes  that  have  some  homomorphic 
properties  but  are  not  fully  homomorphic.  With  Somewhat  Homomorphic  Encryp¬ 
tion  one  can  generally  do  a  limited  number  of  additions  and  multiplications,  but  each 
time  one  does  an  operation,  it  contributes  “noise”  to  the  ciphertext  (see  §3  for  an 
example).  Eventually  the  noise  is  so  great  that  it  is  not  possible  to  decrypt.  Also,  in 
SHE  schemes  the  ciphertexts  could  get  larger  (message  expansion),  i.e.,  the  compact 
ciphertexts  requirement  might  be  violated.  In  Gentry’s  initial  work  he  started  with 
an  SHE  scheme  and  then  “bootstrapped”  it  to  obtain  an  FHE  scheme. 

2.5.  Bootstrapping.  Gentry’s  original  FHE  papers  and  thesis  introduced  the 
idea  of  bootstrapping.  One  “bootstraps”  to  go  from  a  (bootstrapable)  somewhat 
homomorphic  encryption  scheme  to  a  fully  homomorphic  encryption  scheme. 

To  make  an  SHE  scheme  fully  homomorphic,  one  can  include  as  part  of  the  public 
key  an  encryption  of  the  private  key.  When  a  ciphertext  gets  too  large  or  too  noisy, 
the  encryptor  can  then  use  the  somewhat  homomorphic  encryption  scheme  to  evaluate 
the  decryption  function  applied  to  the  ciphertext,  using  the  encrypted  private  key. 
This  re-encryption  process  produces  a  new  encryption  of  the  original  plaintext,  that 
is  more  compact  and  less  noisy.  For  this  to  work,  it  is  necessary  for  the  somewhat 
homomorphic  scheme  to  be  “circular  secure”  (i.e.,  it  must  be  able  to  securely  encrypt 
its  own  private  key)  and  capable  of  evaluating  the  function  /  =  Decrypt  and  “a 
little  more”  (enough  to  allow  homomorphic  encryptions  with  respect  to  addition  and 
multiplication;  see  the  “augmented  decryption  circuits”  in  Definition  4  of  [Gl]  or 
[DGHV]). 

Gentry  also  uses  what  he  calls  “squashing”  of  the  decryption  circuit  in  order  to 
simplify  decryption  enough  so  that  it  is  among  the  functions  that  the  somewhat  ho¬ 
momorphic  scheme  can  homomorphically  evaluate  correctly.  Squashing  converts  an 
SHE  scheme  into  a  bootstrappable  SHE  scheme.  In  [BV2],  Brakerski  and  Vaikun- 
tanathan  use  “dimension-modulus  reduction”  to  simplify  the  decryption  circuit  and 
avoid  squashing.  Another  way  to  remove  squashing  is  given  in  [GH2] . 

In  [BrGV],  Brakerski,  Gentry,  and  Vaikuntanathan  use  “modulus  switching”  to 
reduce  noise  and  lessen  the  need  for  bootstrapping.  Modulus  switching  replaces  a 
ciphertext  mod  p±  with  a  ciphertext  modulo  a  smaller  modulus  P2  that  decrypts  to 
the  same  plaintext. 

See  [G3]  for  a  nice  analogy  (“Alice’s  jewelry  store”,  with  jewelry  fabricated  in 
nested  secure  gloveboxes)  that  gives  the  idea  of  FHE  and  bootstrapping.  See  the 
survey  article  [VI]  for  a  good  description  of  modulus  switching  and  other  concepts 
from  FHE. 

2.6.  Malleability.  We  remark  that  FHE  schemes  are  always  “malleable”.  In 
cryptography,  malleability  means  that  a  ciphertext  can  be  perturbed  to  create  a  new 
ciphertext  that  decrypts  to  a  perturbation  (in  a  known  way)  of  the  original  plaintext. 
In  a  non-malleable  encryption  scheme,  perturbing  a  ciphertext  a  little  will  generally 
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produce  an  invalid  ciphertext,  i.e.,  one  that  does  not  decrypt  to  a  valid  plaintext. 
Malleability  is  often  an  undesirable  property  in  cryptography.  For  example,  if  an 
auction  uses  encrypted  bids,  and  (an  adversary)  Mallory  sees  the  encryption  of  Bob’s 
bid,  one  wants  it  to  be  the  case  that  Mallory  cannot  construct  a  new  ciphertext  that 
decrypts  to  a  bid  that  is  a  dollar  more  than  Bob’s  bid,  i.e.,  one  wants  non-malleable 
encrypted  bids. 

There  has  been  some  work  on  obtaining  partial  or  “targeted”  non-malleability 
along  with  some  limited  homomorphic  ability;  see  for  example  [PR,  BonSW,  E], 
There  are  interesting  open  questions  in  this  area. 

3.  Somewhat  Homomorphic  Encryption  over  the  integers 

We  begin  with  a  warm-up  example  from  the  introduction  to  [DGHV],  This  exam¬ 
ple  of  a  somewhat  homomorphic  encryption  scheme  comes  in  two  flavors,  symmetric 
key  and  public  key.  To  keep  it  short,  we  will  be  very  imprecise  about  parameter 
choices  and  other  details. 

We  first  give  the  symmetric  key  version.  The  shared  key  is  an  odd  positive  integer 
k.  The  message  is  a  bit  m  G  {0, 1}.  The  encryptor  chooses  random  integers  q  and  r 
in  a  certain  range,  and  so  that  |2r|  <  k/ 2,  and  computes  the  ciphertext 

c  =  m  +  kq  +  2  r. 

To  decrypt,  the  decryptor  computes  (c  mod  k)  mod  2  —  m  where  a  mod  w  means 
that  one  takes  the  representative  of  a  mod  w  in  the  range  (—w/2,w/2]. 

If  Ci  =  rrii  +  kqi  +  2ry  for  i  —  1,2,  then 

ci  +  c2  =  (mi  +  m2)  +  k(qi  +  q2)  +  2  (ry  +  r2), 

Ci  •  c2  =  mi  •  m2  +  k(miq2  +  m2qi  +  kqiq2  +  2q1r2  +  2riq2)  +  2(mrr2  +  rim2  +  4r1r2). 
Thus  the  noise  grows,  and  after  one  does  too  many  multiplications  or  additions, 
the  decryption  function  no  longer  outputs  the  correct  plaintext.  The  ciphertexts 
also  blow  up  in  size.  This  Somewhat  Homomorphic  Encryption  scheme  is  not  fully 
homomorphic,  but  in  [DGHV]  van  Dijk  et  al.  use  Gentry’s  bootstrapping  techniques 
to  turn  it  into  a  Fully  Homomorphic  Encryption  scheme. 

A  public  key  version,  as  in  §3.1  of  [DGHV].  is  as  follows.  The  secret  key  is  again 
an  odd  positive  integer  k.  The  public  key  now  consists  of  the  integers  ay  =  kqi  +  2 ry 
for  i  =  0,1 , ,t,  where  the  q%  and  ry  are  as  before,  so  each  ay  can  be  viewed  as 
an  encryption  of  0  under  the  symmetric  key  scheme.  The  ay  are  taken  so  that  Xq  is 
the  largest,  x0  is  odd,  and  x0  mod  k  is  even,  where  again  x  mod  k  is  in  the  interval 
(~k/2,k/2]. 

To  encrypt  a  message  bit  m  G  {0, 1},  the  encryptor  chooses  a  random  subset  S  of 
{1, . . . ,  t}  and  a  random  integer  r  in  a  certain  range.  The  ciphertext  is 

c  —  m  +  2  ay  +  2 r  mod  xq. 

i£S 

The  decryptor  computes  (c  mod  k)  mod  2  =  m. 
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The  security  is  based  on  the  difficulty  of  the  Approximate  Common  Divisor  Prob¬ 
lem,  which  is  the  problem  of  finding  k7  given  a  collection  of  integers  of  the  form 
{kqi  +  ri}\=0  with  r*  “small”.  Approximate  Common  Divisor  Problems  were  intro¬ 
duced  in  [How]  and  have  been  studied  in  [CN,  CoH] . 

4.  The  Gentry,  Smart- Vercauteren,  and  Gentry-Halevi  SHE  schemes 

As  an  illustration  of  a  lattice  based  system,  we  give  a  version  of  the  Somewhat 
Homomorphic  Encryption  schemes  that  were  introduced  by  Gentry  in  [Gl,  G2]  and 
improved  on  by  Smart  and  Vercauteren  in  [SmV]  and  by  Gentry  and  Halevi  in 
[GH1]  (see  also  [LMSV]).  In  these  schemes,  the  public  key  corresponds  to  a  “bad” 
(skewed)  basis  for  a  lattice,  while  the  private  key  is  a  “good”  (more  orthogonal) 
basis  for  the  same  lattice.  The  ( N-  di  mens  ion  al )  lattices  are  ideals  in  the  ring  of 
integers  of  the  cyclotomic  field  of  2V-th  roots  of  unity.  The  plaintext  is  encoded 
as  a  (suitable)  point  in  the  ambient  space  M.N .  Encryption  translates  that  point 
into  the  fundamental  parallelepiped  associated  to  the  bad  (public)  basis.  Decryption 
translates  the  ciphertext  point  into  the  fundamental  parallelepiped  associated  to  the 
good  (private)  basis.  (See  Figure  1  and  the  description  near  the  end  of  §4.1.)  The 
security  relies  partly  on  the  fact  that  it  is  generally  difficult  to  find  a  good,  nearly 
orthogonal  basis  for  a  given  lattice. 


Figure  1.  Encryption  and  Decryption 


4.1.  The  scheme.  We  next  give  some  of  the  details  of  a  version  of  the  scheme. 
Let 

F(x )  =  xN  +  1  G  Z[x] 

with  N  =  2n.  Let  9  be  a  root  of  F(x );  then  9  is  a  primitive  2V-th  root  of  unity.  Let 

K^Q[x]/(F(x))  *Q{9), 

20 


Approved  for  Public  Release;  Distribution  Unlimited. 


a  CM-field  of  degree  N  over  Q.  Let 


N- 1 

v(x )  =  ViX1  G  Z[x] 

i= 0 


be  a  degree  iV  —  1  polynomial  whose  coefficients  ry  are  random  f-bit  integers  for  a 
suitably  chosen  t,  and 


/  v0  Vi 

-VN-1  v0 


Vn-  l\ 

VJV-2 


G 


\  “«1  -«2  •••  V0  ) 


The  rows  of  V  are  the  coefficients  of  xlv(x)  mod  F(x)  for  i  =  0, _ ,  N  —  1.  Let 

L  denote  the  lattice  in  ZN  generated  by  the  rows  of  V,  let  7  =  v(9)  G  K,  let 
N K/q  :  K  — >  Q  denote  the  norm  map,  and  let 


d  :=  Nr7q(7)  =  det(l/)  =  det(L)  =  resultant (F,  v). 

Replace  the  random  polynomial  v(x)  if  necessary,  until  you  have  found  one  for  which 
d  is  odd  and  square-free.  (In  [SmV],  they  start  with  v(x)  =  1  mod  2Z[x\  to  ensure 
that  d  is  odd,  and  they  replace  v(x),  if  necessary,  until  they  find  one  for  which  d  is 
prime.  In  [GH1]  they  show  that  it  is  not  necessary  for  d  to  be  prime;  it  suffices  to 
have  d  odd  and  square-free.) 

Whenever  A  is  a  matrix  whose  rows  {ai,...,ajv}  form  a  Z-basis  for  a  lattice 
L  C  WLN ,  define 

N 

V{A)  \=  {^cqaj  :  cq  G  [-0.5,  0.5)}, 

1=1 

a  (half-open)  parallelepiped.  This  is  the  “fundamental  parallelepiped”  associated  to 
A.  Every  element  of  / L  has  a  unique  representative  in  V{A). 

All  reductions  mod  d  will  be  taken  in  the  range  [—d/2,  d/2).  Let  r  G  [—d/2,  d/2) 
denote  the  unique  common  root  of  F(x)  and  v(x)  mod  d.  Let  rt  =  rl  (mod  d)  and 


( 

d 

0 

0  •• 

•  o\ 

-r  1 

1 

0  •• 

•  0 

G  Mjv(Z) 

V 

-rN- 1 

0 

0  •• 

•  V 

Since  d  is  odd  and  square-free,  it  follows  that  B  is  the  Hermite  Normal  Form  of  the 
matrix  V. 

The  public  key  now  consists  of  d  and  r  (or  equivalently  the  matrix  B ),  and  the 
secret  key  is  v(x)  (or  the  matrix  V).  To  encrypt  a  bit  m  G  (0, 1},  choose  a  random 
noise  polynomial  u(x)  =  UiX 1  with  each  coefficient  Ui  G  (0,  ±1}  taking  values 

1  and  —1  with  equal  probability.  Let  a(x)  —  rn  +  2 u(x)  and  let 


a  :=  (2 u0  +  m,2ui, . . . ,  2 uN_i) 
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be  the  vector  of  coefficients  of  a(x).  Let  |~-J  denote  rounding  to  the  nearest  integer. 

Let  the  ciphertext  be 

c  :=  a  —  ( |~a£>_1J  B)  =  (m  +  2 u(r)  mod  d,  0, . . . ,  0), 

which  is  the  translation  of  a  to  the  parallelepiped  V(B)  (where  translation  means 
that  one  subtracts  lattice  vectors  until  one  lands  in  the  fundamental  parallelepiped). 

To  decrypt  a  ciphertext  c,  let 

a!  :=  c  -  ([cV-1]!/)  =  (a0,  •  ■ .  ,ajv- i), 

which  is  the  translation  of  c  to  the  parallelepiped  T(V),  and  compute  m  =  a0 
(mod  2).  As  shown  on  p.  145  of  [GH1],  decryption  works  (i.e.,  ai  =  a)  as  long 
as  the  absolute  value  of  every  entry  in  aV_1  is  less  than 

In  Figure  1,  the  small  dots  are  the  lattice.  The  light  gray  point  represents  the 
plaintext,  the  (inside  of  the)  light  gray  diamond  represents  the  fundamental  paral¬ 
lelepiped  V(V),  the  (inside  of  the)  dark  parallelogram  represents  the  fundamental 
parallelepiped  V(B),  and  the  large  dark  point,  which  is  the  ciphertext,  is  the  trans¬ 
lation  to  V(B)  of  the  light  gray  point. 

The  rows  of  the  matrix  B  are  a  “bad”,  i.e.,  skewed  basis  for  the  lattice  L,  while 
the  rows  of  V  are  a  “good”  (secret)  basis  for  L.  If  the  rows  of  V  are  sufficiently 
orthogonal,  and  if  the  plaintext  point  is  chosen  in  a  suitable  way,  then  decryption 
yields  the  original  plaintext  point. 

The  scheme  is  homomorphic  because  its  multiplication  and  addition  are  just  mul¬ 
tiplication  and  addition  in  the  ring  of  integers  of  the  cyclotomic  held  K. 

4.2.  Security.  The  security  of  the  above  scheme  is  based  on  the  simultaneous 
difficulty  of  the  following  problems.  (Note  that  more  recent  FHE  schemes  do  not  rely 
on  SPIP,  PCP,  or  SSSP,  so  interest  in  these  problems  might  be  more  theoretical  or 
mathematical  than  practical.) 

The  Small  Principal  Ideal  Problem  (SPIP)  is  the  problem,  given  a  principal 

ideal  in  either  Hermite  Normal  Form  (i.e.,  the  matrix  B)  or  two  element  representation 
(i.e.,  (d,6  —  r)),  of  finding  a  “small”  generator  (e.g.,  v(9))  for  it.  If  the  SPIP  is 
sufficiently  hard,  that  would  thwart  a  key  recovery  attack,  wherein  an  adversary  who 
knows  the  public  key  ( B  or  ( d,r ))  tries  to  find  the  secret  key  (v(x)). 

Security  against  an  attack  where  the  adversary  tries  to  find  the  plaintext,  given 
a  ciphertext,  is  closely  related  to  the  difficulty  of  the  Closest  Vector  Problem 
(CVP)  for  ideal  lattices.  This  is  the  problem  of  hireling  a  closest  lattice  point  to  a 
given  point  in  the  ambient  space. 

Another  type  of  security  is  “semantic  security”.  The  requirement  for  semantic 
security  is  that  an  adversary,  who  is  presented  with  a  ciphertext  that  is  either  an 
encryption  of  0  or  an  encryption  of  1,  cannot  distinguish  which  it  is  with  probability 
greater  than  |  +  e  of  getting  the  correct  answer.  The  semantic  security  of  the  scheme 
is  related  to  a  new  problem,  that  Smart  and  Vercauteren  call  the  Polynomial  Coset 
Problem  (PCP).  The  Polynomial  Coset  Problem  is  the  problem  of  distinguishing 
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between  a  random  element  of  Z/dZ  and  an  element  of  the  form  f(r)  mod  d,  where 
f(x)  E  Z[x\  is  random  (and  unknown)  with  small  coefficients  and  r  is  the  common 
root  of  F(x)  and  v(x)  mod  d.  The  paper  [SmV]  states  that  the  Polynomial  Coset 
Problem  is  akin  to  Gentry’s  Ideal  Coset  Problem  from  [Gl].  These  problems  can  be 
viewed  as  versions  of  the  Bounded  Distance  Decoding  problem  from  coding  theory. 

Gentry,  Smart- Vercauteren  and  Gentry-Halevi  “bootstrap”  their  somewhat  ho¬ 
momorphic  encryption  schemes  into  fully  homomorphic  encryption  schemes  using 
a  re-encryption  algorithm.  Making  this  cryptographically  secure  requires  an  addi¬ 
tional  security  assumption,  namely  the  difficulty  of  a  decisional  version  of  the  Sparse 
Subset-Sum  Problem  (SSSP),  i.e.,  it  should  be  difficult  to  distinguish  between 
random  subsets  of  Z/dZ  and  those  that  have  sparse  subsets  that  sum  to  0.  Here, 
bootstrapping  augments  the  public  key  with  a  “hint”  about  the  secret  key,  namely, 
with  a  large  set  of  vectors  that  has  a  very  sparse  subset  that  sums  to  the  secret  key. 


4.3.  Why  F  and  v  have  exactly  one  common  root  mod  d.  Since  it  is  not 
in  the  FHE  literature,  we  give  a  proof  that  F(x)  and  v(x)  have  a  unique  common 
root  mod  d.  This  shows  the  use  of  some  algebraic  number  theory  in  FHE.  The  next 
result  allows  for  a  more  general  polynomial  F(x).  As  usual,  Ok  denotes  the  ring  of 
integers  in  the  number  held  K . 

Lemma  1.  Suppose  F(x),v(x)  E  Z[x].  Suppose  that  F{x)  is  monic  and  irreducible, 
and  6  E  Q  is  a  root  of  F.  Let  K  =  Q[x]/(F(x))  =  Q(d)  and  suppose  K/Q  is  a  Galois 
extension.  Let  7  =  v{6)  and  suppose  that  Nx/qi'y)  is  square-free  and  relatively  prime 
to  the  discriminant  of  K .  Then  F(x)  mod  (7)  and  v(x)  mod  (7)  have  exactly  one 
common  root  in  Ok/(i),  namely  6  mod  (7). 

Proof.  Since  v{6)  =  7  and  F(6)  =  0  both  map  to  0  under  the  projection  map 
Ok  — »  Ok/ (7),  it  follows  that  6  is  a  common  root  of  F(x)  mod  (7)  and  v(x)  mod  (7). 
Since  K/Q  is  Galois,  F(x)  splits  completely  in  K[x],  so  the  reductions  mod  (7)  of 
the  roots  of  F(x)  are  the  roots  of  F(x)  mod  (7).  Thus  any  other  common  root  is  the 
reduction  mod  (7)  of  a  root  of  F(x),  so  it  is  a (9)  for  some  non- identity  a  E  Gal(/i/Q). 
But  v(a(9 ))  =  <t(v(0))  =  cr( 7),  which  cannot  be  0  mod  (7),  since  gcd(cr(7),7)  =  1, 
as  follows. 

Factor  7 Or-  =  11,  Pi  with  prime  ideals  p*  of  Ok-  Since  N#/q(7)  is  square-free  and 
relatively  prime  to  the  discriminant  of  K,  it  follows  that: 

(a)  each  p,:  has  degree  one  (i.e.,  its  norm  is  a  prime  in  Z), 

(b)  the  different  pj’s  have  distinct  residue  characteristics,  and 

(c)  cr(pi)  fz  p^.  for  all  i  and  j. 

To  obtain  (c),  note  that  if  cr(pj)  =  p,;,  then  <7  would  be  in  the  decomposition  group 
for  pj,  whose  order  is  the  degree  of  pj,  which  is  1  by  (a).  Part  (c)  now  follows  from 
(b).  Since  <7(7)  Ok  =  Eli  cr (pj),  it  now  follows  that  gcd(cr(7),7)  =  1.  □ 
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5.  LWE  and  Ring-LWE 

A  promising  recent  development  is  to  create  Fully  Homomorphic  Encryption 
schemes  whose  security  is  based  on  the  difficulty  of  the  LWE  Problem  (introduced 
in  [R])  or  the  Ring-LWE  Problem  (introduced  in  [LyPR]).  These  FHE  schemes  are 
more  efficient  than  earlier  schemes,  with  short  ciphertexts. 

LWE  stands  for  Learning  With  Errors.  A  version  of  the  LWE  Problem  is  as 
follows.  If  F  is  a  field  and  v  =  (tq, . . . ,  vn),w  =  (uq, . . . ,  wn)  G  Fn,  let  (v,  w)  denote 
the  usual  inner  product  Yl'j=ivjwj-  Take  p  prime,  of  size  polynomial  in  a  parameter 
n.  For  uniformly  random  a*  G  F”,  and  “noise”  e*  G  Z  chosen  via  a  probability 
distribution  (usually  Gaussian)  that  outputs  e*  with  e*|  much  smaller  than  p,  given 
polynomially  (in  n)  many  pairs  (a*,  bi  =  (di,s)  +  e,  mod  p),  find  s  G  Fp.  Here,  the 
ej’s  are  the  errors,  and  the  problem  is  to  learn  the  secret  s,  even  in  the  presence  of 
errors.  If  there  are  no  errors,  i.e.,  all  e,  =  0,  then  one  can  easily  recover  s  using  linear 
algebra,  given  enough  pairs  (di,bi).  When  p—  2  the  Learning  With  Errors  Problem 
is  known  as  the  Learning  Parity  with  Noise  Problem. 

In  the  decisional  version  one  needs  to  distinguish  such  ordered  pairs  (a*,  bt)  from 
uniformly  random  pairs  (a*,Mj)  G  F”  x  Fp.  By  [R,  Pe],  this  problem  is  at  least  as 
hard  as  (variants  of)  the  problem  of  finding  short  vectors  in  lattices. 

Next,  following  [BV2],  we  give  a  simplification  of  a  symmetric  key  somewhat 
homomorphic  encryption  scheme  whose  security  is  based  on  the  decisional  version  of 
LWE.  The  secret  key  is  a  random  s  G  F(‘.  To  encrypt  a  plaintext  bit  m  G  {0, 1},  choose 
a  random  a  G  F”  and  a  “noise”  e.  Compute  b  :=  (a,s)  +  2e  +  m  G  Fp.  The  ciphertext 
is  (a,  b)  G  F”  x  Fp.  To  decrypt,  compute  b  —  (a,  s)  =  2e  +  m  (mod  p)  and  reduce 
mod  p  to  get  2e  +  m  (since  \e\  Cp).  Now  reduce  mod  2  to  obtain  m.  The  scheme 
is  homomorphic  with  respect  to  addition,  until  too  much  noise  accumulates,  and  it  is 
shown  in  [GHV]  that  a  variant  of  the  scheme  can  do  one  homomorphic  multiplication 
but  with  a  large  ciphertext  expansion.  In  [BV2]  it  is  shown  how  to  turn  this  into  a 
fully  homomorphic  encryption  scheme  (without  the  need  for  squashing). 

In  Ring-LWE,  R  is  a  ring.  The  Ring-LWE  Problem  is  to  find  s,  given  polynomially 
many  (al,  b,)  G  Rx  R  with  bi  =  oqs  +  e*  where  the  cq’s  are  uniformly  random  in  R,  s 
is  random  in  R ,  and  the  e*’s  are  “small”  in  R. 

In  the  decisional  version  of  Ring-LWE,  one  needs  to  distinguish  such  ordered  pairs 
(di,bi)  from  uniformly  random  (oq,rq)  G  R  x  R. 

Next,  taken  from  [BV1],  is  a  simplified  symmetric  key  somewhat  homomorphic 
encryption  scheme  whose  security  is  based  on  the  decisional  version  of  Ring-LWE. 
Fix  an  odd  prime  p  and  let  Rp  denote  the  ring  Fp[x]/(a;Ar  +  1)  where  N  =  2n.  The 
secret  key  is  a  random  s  G  Rp.  To  encrypt  m  G  F 2 [x] / (xN  +  1),  lift  m  to  a  polynomial 
in  Z[x\  of  degree  <  N  with  coefficients  in  {0, 1}  and  (reduce  mod  p  and  mod  xN  +  1 
to)  view  it  as  an  element  m  of  Rp.  Then  choose  a  random  a  G  Rp  and  a  “noise”  e, 
and  compute  b  :=  ds  +  2e  +  m  G  Rp.  The  ciphertext  is  (a,  b)  G  Rp  x  Rp.  To  decrypt, 
compute  b  —  ds  (mod  2)  =  m.  Security  follows  from  decisional  Ring-LWE  for  Rp, 
since  under  the  assumption  that  decisional  Ring-LWE  is  a  hard  problem,  and  using 
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the  fact  that  p  is  odd,  pairs  (a,  as  +  2e)  are  indistinguishable  from  pairs  (a,  u )  where 
u  is  uniformly  random  in  Rp.  Again,  this  can  be  turned  into  a  fully  homomorphic 
encryption  scheme  (see  [BV1]). 

Fully  homomorphic  encryption  schemes  based  on  Ring-LWE  are  more  efficient 
than  those  based  on  standard  LWE.  However,  Ring-LWE  uses  lattices  coming  from 
ideals  in  algebraic  number  fields.  As  mentioned  earlier,  it  is  not  known  whether 
cryptosystems  based  on  ideal  lattices  are  more  vulnerable  to  attack  than  those  based 
on  general  lattices. 
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Abstract.  We  put  the  Gentry-Szydlo  algorithm  into  a  mathematical  framework,  and  show 
that  it  is  part  of  a  general  theory  of  “lattices  with  symmetry”.  For  large  ranks,  there  is  no 
good  algorithm  that  decides  whether  a  given  lattice  has  an  orthonormal  basis.  But  when  the 
lattice  is  given  with  enough  symmetry,  we  can  construct  a  provably  deterministic  polynomial 
time  algorithm  to  accomplish  this,  based  on  the  work  of  Gentry  and  Szydlo.  The  techniques 
involve  algorithmic  algebraic  number  theory,  analytic  number  theory,  commutative  algebra, 
and  lattice  basis  reduction.  This  sheds  new  light  on  the  Gentry-Szydlo  algorithm,  and  the 
ideas  should  be  applicable  to  a  range  of  questions  in  cryptography. 


Keywords:  lattices,  Gentry-Szydlo  algorithm,  ideal  lattices,  lattice-based  cryptography 


1  Introduction 

In  §7  of  [6],  Gentry  and  Szydlo  introduced  some  powerful  new  ideas  that  combined 
in  a  clever  way  lattice  basis  reduction  and  number  theory.  They  used  these  ideas 
to  cryptanalyze  NTRU  Signatures.  The  recent  interest  in  Fully  Homomorphic  En¬ 
cryption  (FHE)  and  in  the  candidate  multilinear  maps  of  Garg-Gentry-Halevi  [2] 
bring  the  Gentry-Szydlo  results  once  again  to  the  fore.  Gentry’s  first  FHE  scheme 
[3]  used  ideal  lattices,  as  have  a  number  of  subsequent  schemes.  Fully  Homomorphic 
Encryption  is  performed  more  efficiently  with  ideal  lattices  than  with  general  lattices. 
However,  ideal  lattices  are  special,  with  much  structure  (“symmetries”)  that  has  the 
potential  to  be  exploited.  In  his  thesis  [4],  Gentry  mentions  that  the  Gentry-Szydlo 
attack  on  NTRU  signatures  can  be  used  to  attack  principal  ideal  lattices  in  the  ring 
h\X\/(Xn  —  1),  if  the  lattice  has  an  orthonormal  basis. 

*  This  material  is  based  on  research  sponsored  by  DARPA  under  agreement  numbers  FA8750-11-1-0248  and 
FA8750-13- 2-0054.  The  U.S.  Government  is  authorized  to  reproduce  and  distribute  reprints  for  Govern¬ 
mental  purposes  notwithstanding  any  copyright  notation  thereon.  The  views  and  conclusions  contained 
herein  are  those  of  the  authors  and  should  not  be  interpreted  as  necessarily  representing  the  official 
policies  or  endorsements,  either  expressed  or  implied,  of  DARPA  or  the  U.S.  Government. 
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As  Gentry  pointed  out  [5],  the  Gentry-Szydlo  algorithm  “seems  to  be  a  rather 
crazy,  unusual  combination  of  LLL  with  more  ‘algebraic’  techniques.  It  seems  like  it 
should  have  more  applications — e.g.,  perhaps  to  breaking  or  weakening  ideal  lattices.” 
Generalizing  or  improving  the  Gentry-Szydlo  algorithm  would  potentially  affect  the 
security  of  all  cryptography  that  is  built  from  ideal  lattices,  or  whose  security  is 
based  on  hard  problems  for  ideal  lattices.  Candidate  multilinear  maps  were  recently 
cryptanalyzed  using  the  Gentry-Szydlo  algorithm.  As  remarked  by  Garg,  Gentry,  and 
Halevi  in  [2],  their  “new  algebraic/lattice  attacks  are  extensions  of  an  algorithm  by 
Gentry  and  Szycllo,  which  combines  lattice  reduction  and  Fermat’s  Little  Theorem  in 
a  clever  way  to  solve  a  relative  norm  equation  in  a  cyclotomic  held.” 

The  Gentry-Szydlo  algorithm  has  been  viewed  by  some  as  magic  [11].  In  this  paper 
we  revisit  the  algorithm  and  put  it  in  a  mathematical  framework,  in  order  to  make 
it  easier  to  understand,  generalize,  and  improve  on.  That  should  help  make  it  more 
widely  applicable  in  cryptographic  applications.  We  embed  the  algorithm  in  a  wider 
theory  that  we  refer  to  as  “lattices  with  symmetry” . 

The  algorithm  of  Gentry  and  Szycllo  can  be  viewed  as  a  way  to  find  an  orthonormal 
basis  (if  one  exists)  for  an  ideal  lattice.  Determining  whether  a  lattice  has  an  orthonor¬ 
mal  basis  is  a  difficult  algorithmic  problem  that  is  easier  when  the  lattice  has  many 
symmetries.  In  this  paper  we  solve  this  problem  when  the  lattice  comes  with  a  suf¬ 
ficiently  large  abelian  group  of  automorphisms,  and  we  show  how  the  Gentry-Szydlo 
algorithm  is  a  special  case  of  this  result. 

Our  algorithm  runs  in  deterministic  polynomial  time,  whereas  [6]  relies  on  a  prob¬ 
abilistic  algorithm.  Also,  our  setting  is  more  general  (our  theory  applies  to  arbitrary 
finite  abelian  groups,  where  [6]  considers  only  cyclic  groups  of  odd  prime  order), 
thereby  covering  other  cases  of  potential  cryptographic  interest. 

Briefly,  our  main  result  is  as  follows  (see  §2  for  background  information).  If  G  is  a 
finite  abelian  group  and  m6G  has  order  2,  define  a  G-lattice  to  be  a  lattice  L  with  a 
group  homomorphism  G  — >  Aut(L)  that  takes  u  to  —1.  The  “standard”  G-lattice  is 
the  modified  group  ring  Z(G)  =  Z [G\/{u  +  1).  A  G'- isomorphism  is  an  isomorphism 
of  lattices  that  respects  the  G-actions. 

Theorem  1.1  There  is  a  deterministic  polynomial  time  algorithm  that,  given  a  finite 
abelian  group  G,  an  element  u  <E  G  of  order  2,  and  a  G-lattice  L,  decides  whether  L 
and  Z (G)  are  G -isomorphic,  and  if  they  are,  exhibits  a  G -isomorphism. 

The  ingredients  include  the  technique  invented  by  Gentry  and  Szycllo  in  [6],  lat¬ 
tice  basis  reduction,  commutative  algebra  (finite  rings  and  tensor  algebras),  analytic 
number  theory,  and  algorithmic  algebraic  number  theory.  The  graded  tensor  alge¬ 
bra  A  introduced  in  §3.4  is  in  a  sense  the  hero  of  our  story.  It  replaces  Gentry’s 
and  Szydlo’s  polynomial  chains.  In  §7  of  [6],  taking  powers  of  an  ideal  in  the  ring 
R  =  rL\X\j{fXn  —  1)  required  complicated  bookkeeping,  via  polynomial  chains  and 
lattice  basis  reduction  to  avoid  coefficient  blow-up.  We  do  away  with  this,  by  using  the 
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module  structure  of  the  ideal,  rather  than  its  ideal  structure.  More  precisely,  an  ideal 
in  a  commutative  ring  R  is  the  same  as  an  A-module  M  along  with  an  embedding 
M  »  R  of  -R-modules.  While  Gentry  and  Szydlo  use  the  embedding,  we  observe  that 
one  can  avoid  coefficient  blow-up  by  using  the  module  structure  of  M  but  not  the 
actual  embedding.  We  replace  ideal  multiplication  with  tensor  products  of  lattices. 

In  §2  we  introduce  the  concept  of  a  G-lattice,  and  in  §2.3  we  show  that  Theorem  1.1 
implies  the  result  of  Gentry  and  Szydlo.  In  §3  §4  we  introduce  invertible  G-lattices,  of 
which  the  ideal  lattices  considered  by  Gentry  and  Szydlo  are  examples,  and  give  the 
concepts  and  results  that  we  use  to  state  our  new  algorithm  and  prove  its  correctness. 
We  explicitly  present  the  algorithm  in  §5. 

2  G-lattices  and  the  modified  group  ring 

In  this  section  we  explain  some  notation  and  concepts  that  we  use  in  our  main  result. 

2.1  Lattices  and  G-lattices 

We  first  give  some  background  on  lattices  (see  also  [10]),  and  introduce  G- lattices. 

Definition  2.1  A  lattice  or  integral  lattice  is  a  finitely  generated  abelian  group 
L  with  a  map  (•,•):  L  x  L  — *  Z  that  is 

—  bilinear:  (x,y  +  z)  =  ( x ,  y)  +  (x,  z)  and  (x  +  y,z)  =  (x,  z)  +  (y,  z)  for  all  x,y,z  G  L, 

—  symmetric:  (x,  y)  =  (y,  x)  for  all  x,y  G  L,  and 

—  positive  definite:  (x,x)  >0  i/O^iGi. 

As  a  group,  L  is  isomorphic  to  Z”  for  some  n,  which  is  called  the  rank  of  L. 
In  algorithms,  a  lattice  is  specified  by  a  Gram  matrix  ((&,;,  bfi)2]=l  associated  to  a 
Z-basis  {&i, . . . ,  bn}. 

Definition  2.2  The  standard  lattice  of  rank  n  is  L  —  Zn  with  (x,y)  =  ]G”=1  x (hi¬ 
lts  Gram  matrix  is  the  n  x  n  identity  matrix  In. 

Definition  2.3  A  lattice  L  is  unimodular  if  the  map  L  — >  Hom(L,  Z)  that  takes 
each  x  G  L  to  the  map  y  (->•  ( x ,  y)  is  bijective.  Equivalently,  L  is  unimodular  if  its 
Gram  matrix  has  determinant  1. 

Definition  2.4  An  isomorphism  L  — >  M  of  lattices  is  a  group  isomorphism  (p  : 
L  Afi  M  that  respects  the  lattice  structures,  i.e.,  (p(x),  p(y))  =  (x,y)  for  all  x,y  G  L. 
If  such  a  map  <p  exists,  then  L  and  M  are  isomorphic  lattices.  An  automorphism 
of  a  lattice  L  is  an  isomorphism  from  L  onto  itself.  The  set  of  automorphisms  of  L 
is  a  finite  group  Aut(L)  whose  center  contains  —1  (represented  by  —In). 
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In  algorithms,  isomorphisms  are  specified  by  their  matrices  on  the  given  bases  of 
L  and  M . 

Examples  2.5  (i)  “Random”  lattices  have  Aut(L)  =  {±1}. 

(ii)  Letting  Sn  denote  the  symmetric  group  on  n  letters  and  x  denote  semidirect  prod¬ 
uct,  then  Aut(Z")  =  {±l}n  x  Sn.  ( The  standard  basis  vectors  can  be  permuted, 
and  negatives  taken.) 

(hi)  If  L  is  the  equilateral  triangular  lattice  in  the  plane,  then  Aut(L)  is  the  symmetry 
group  of  the  regular  hexagon,  which  is  a  dihedral  group  of  order  12. 

From  now  on,  suppose  that  G  is  a  finite  abelian  group,  and  u  E  G  is  a  fixed 
element  of  order  2. 

Definition  2.6  A  G-lattice  is  a  lattice  L  together  with  a  group  homomorphism  f  : 
G  — *  Aut(L)  such  that  f(u)  =  —1.  For  each  a  e  G  and  x  G  L,  define  ax  G  L  by 
ax  =  f(a)(x). 

The  abelian  group  G  is  specified  by  a  multiplication  table.  The  G-lattice  L  is 
specified  as  a  lattice  along  with,  for  each  a  e  G,  the  matrix  describing  the  action  of 
a  on  L. 

Definition  2.7  If  L  and  M  are  G-lattices,  then  a  G-isomorphism  is  an  isomor¬ 
phism  (p  :  L  M  of  lattices  that  respects  the  G- actions,  i.e.,  (p(ax)  =  a<p(x)  for 
all  x  G  L  and  a  e  G.  If  such  an  isomorphism  exists,  we  say  that  L  and  M  are 
G-isomorphic,  or  isomorphic  as  G-lattices. 

2.2  The  Modified  Group  Ring  Z(G) 

We  define  a  modified  group  ring  A(G)  whenever  A  is  a  commutative  ring.  We  will 
usually  take  A  —  Z,  but  will  also  take  A  =  Z/mZ.  We  consider  A(G)  rather  than  the 
standard  group  ring  A[G\,  since  G-lattices  become  Z(G)-modules.  Also,  it  allows  us 
to  include  the  cyclotomic  rings  Z[W]/(A^2  +  1)  in  our  theory. 

The  group  ring  A\G\  is  the  set  of  formal  sums  XLeGacr0r  with  a<r  *=  A,  with 
addition  defined  by 

y  aaa  +  ^baa  =  ^(aCT  +  ba)a 
o-eG  a-eG  ctSG 

and  multiplication  defined  by 

(5 Za"a)(52brr )  =  a°hr)p- 

cr£G  t£G  p&G  <tt=p 

For  example,  if  G  is  a  cyclic  group  of  order  m  and  g  is  a  generator,  then  as  rings 
Z[A"]/(A"m  -  1)  =  Z[G]  via  the  map  a* X 1  i— >•  a id1- 
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Definition  2.8  If  A  is  a  commutative  ring,  then  writing  1  for  the  identity  element 
of  the  group  G,  we  define  the  modified  group  ring 

A{G)  —  A[G\/(u  +  1). 

Every  G-lattice  is  a  Z(G)-rnodule,  where  one  uses  the  G-action  on  L  to  define  ax 
whenever  and  a  G  Z(G). 

Definition  2.9  Define  the  scaled  trace  function  t  :  A(G)  — >■  A  by 

aaa)  =  a i  —  au. 

o-eG 

Then  t  is  the  (additive)  group  homomorphism  satisfying  f(l)  =  1,  t(u)  =  —1,  and 
t(a)  =  0  if  a  G  G  and  a  ^  l,u. 

Definition  2.10  For  a  =  'f2a€Ga^(J  G  A{G ),  define  a  =  J2aeG a^"1 . 

The  map  a  H >  d  is  a  ring  automorphism  of  A(G).  Since  a  —  a,  it  is  an  involution. 
(An  involution  is  a  map  that  is  its  own  inverse.)  In  practice,  this  map  plays  the  role 
of  complex  conjugation. 

Remark  2.11  If  L  is  a  G-lattice  and  x,y  G  L,  then  {ax,  ay)  =  (x,y)  for  all  a  G  G. 
It  follows  that  ( ax,y )  =  ( x,dy )  for  all  a  G  Z(G). 

Definition  2.12  For  x,y  G  Z (G)  define  (x,y)z{G)  —  t(xV)- 

Let  n  =  |G|/2  G  Z. 

Definition  2.13  Let  S  be  a  set  of  coset  representatives  of  G/(u)  (i.e.,  #S  =  n  and 
G  =  S  U  uS ),  and  for  simplicity  take  S  so  that  1  G  S. 

The  following  result  is  straightforward. 

Proposition  2.14  (i)  The  additive  group  of  the  ring  Z (G)  is  a  G-lattice  of  rank  n, 
with  lattice  structure  defined  by  (x,y)z(G)  and  G-action  defined  by  ax  =  ax  where 
the  right-hand  side  is  ring  multiplication  in  Z(G) . 

(ii)  As  lattices,  Z (G)  =  Zn. 

(hi)  Z(G)  =  e  Z}  =  ®(je5Z(T  and  t{JfaeS  aaa)  =  cp. 

Definition  2.15  We  call  Z(G )  the  standard  G-lattice. 

Example  2.16  Suppose  G  =  H  x  {u)  with  H  =  Z/nZ.  Then  Z(G)  =  Z [H]  = 
Z [X\/{Xn  —  1)  as  rings  and  as  lattices.  When  n  is  odd  (so  G  is  cyclic),  then  (by 
sending  X  to  -X)  we  have  Z(G)  ^  Z[X\/{Xn  -  1)  =  Z[X]/(Xn  +  1). 

Remark  2.17  The  ring  Z(G)  is  an  integral  domain  (i.e.,  no  zero  divisors)  if  and  only 
if  G  is  cyclic  and  n  is  a  power  of  2.  If  G  is  cyclic  of  order  2r ,  then  Z(G)  =  Z[£2® 


Approved  for  Public  Release;  Distribution  Unlimited. 

32 


2.3  Ideal  Lattices 


Example  2.18  Suppose  I  is  an  ideal  in  the  ring  Z (G)  and  w  G  Z (G).  Suppose  that 
II  =  Z (G)  -w  and  -if( w )  G  M>o  for  all  ring  homomorphisms  if  :  Z (G)  — >•  C.  It  follows 
that  the  ideal  I  has  finite  index  in  Z (G),  that  w  =  w,  and  that  w  is  not  a  zero  divisor. 
Define  the  G -lattice  £(/,«,)  to  be  I  with  G-action  given  by  multiplication  in  Z (G),  and 
with  lattice  structure  defined  by 

(•£)  y)i,w  t 

with  t  as  in  Definition  2.9.  (Note  that  —  G  Z {G)  since  w  generates  the  ideal  II.)  In 
particular,  L(z(g),i)  =  Z '‘(G). 

The  lattice  L is  G-isomorphic  to  Z (G)  if  and  only  if  there  exists  v  G  Z (G)  such 
that  I  =  (v)  and  w  =  vv.  Further,  knowing  such  a  G-isomorphism  is  equivalent  to 
knowing  v.  More  precisely,  v  is  the  image  of  1  under  a  G-isomorphism  Z (G)  L^IjWp 
and  w  =  vv  if  and  only  if  (av,bv)j^w  =  t(ab )  =  (a,b)z(G)  for  oil  a,b  G  Z (G) .  Thus, 
finding  v  from  I  and  vv  in  polynomial  time  is  equivalent  to  finding  a  G-isomorphism 
Z (G)  A-  in  polynomial  time. 

The  point  of  dividing  by  w  in  the  definition  of  (x,y)i,w  is  to  make  the  lattice  L 
unimodular.  It  follows  that  when  we  take  tensor  powers  of  L  over  Z(G),  as  we  will 
do  in  §5  below,  there  will  be  no  coefficient  blow-up. 

We  next  show  how  to  recover  the  Gentry-Szycllo  result  from  Theorem  1.1.  The 
Gentry-Szydlo  algorithm  finds  a  generator  v  of  an  ideal  /  of  finite  index  in  the  ring 
R  =  rL\X\j{fXn  —  1),  given  vv,  a  Z-basis  for  I,  and  a  “promise”  that  v  exists.  Here,  n 
is  an  odd  prime,  and  for  v  =  v{X )  =  aiX 1  G  R ,  its  “reversal”  is  v  =  u(A"_1)  = 

«0  +  ES  °n—iXl  G  R.  We  take  G  to  be  a  cyclic  group  of  order  2 n.  Then  R  =  Z (G)  as 
in  Example  2.16,  and  we  identify  R  with  Z (G).  Let  w  =  vv  G  Z (G)  and  let  L  = 
as  above.  Then  L  is  the  “implicit  orthogonal  lattice”  in  §7.2  of  [6].  Once  you  know  a 
Z-basis  for  /  and  w,  you  know  L.  Theorem  1.1  produces  a  G-isomorphism  Z (G)  — >  L 
in  polynomial  time,  and  thus  gives  a  generator  v  in  polynomial  time. 

3  Invertible  G-lattices,  short  vectors,  and  the  tensor  algebra 

A 

In  this  section  we  give  some  concepts  that  we  will  use  to  prove  Theorem  1.1. 

3.1  Invertible  G-lattices 

Definition  3.1  If  L  is  a  G-lattice,  then  the  G-lattice  L  is  a  lattice  equipped  with  a 
lattice  isomorphism  L  L,  x  (->■  x  and  a  group  homomorphism  G  — >  Aut(L)  defined 
by  ax  =  a~lx  =  ax  for  all  a  G  G  and  x  G  L,  i.e.,  ax  =  ax. 
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Definition  3.2  If  L  is  a  G -lattice,  define  the  lifted  inner  product 
■  :  L  x  L  — >■  Z (G)  by  x  ■  y  —  cr?/)cr  £  Z(G). 

ctES 

Then 

(x,y)=t(x-y)  (1) 

and  x  ■  y  =  y  ■  x.  This  lifted  inner  product  is  Z(G)-bilinear,  i.e.,  (ax)  ■  y  —  x  ■  (ay)  = 
a(x  ■  y)  for  all  a  £  Z (G)  and  all  x,y  £  L. 

Example  3.3  If  L  —  Z (G) ,  then  L  =  Z (G)  with  ~  having  the  same  meaning  as  in 
Definition  2.10  for  A  =  Z,  and  with  ■  being  multiplication  in  Z (G). 

Definition  3.4  A  G-lattice  L  is  invertible  if  the  following  three  conditions  all  hold: 

(i)  rank(L)  —  n  —  \G\/2; 

(ii)  L  is  unimodular  ( see  Definition  2.3); 

(iii)  for  each  m  £  Z>0  there  exists  em  £  L  such  that  {aem  +  rriL  :  a  £  G}  generates 
the  abelian  group  L/mL. 

Example  3.5  If  a  G-lattice  L  is  G -isomorphic  to  the  standard  G-lattice  then  L  is 
invertible.  For  (iii),  observe  that  the  group  Z (G)  is  generated  by  {al  :  a  £  G},  so  the 
group  L  is  generated  by  {ae  :  a  £  G}  where  e  is  the  image  of  1  under  the  isomorphism. 
Now  let  em  =  e  for  all  m. 

Remark  3.6  In  the  full  version  of  the  paper  we  will  show  that  a  G-lattice  L  is  in¬ 
vertible  if  and  only  if  there  is  a  Z(G) -module  M  such  that  L  ®i{G)  M  and  Z (G)  are 
isomorphic  as  Z(G)  -modules  and  L  is  unimodular.  (See  Chapter  XVI  of  [8]  for  tensor 
products.)  We  will  also  show  that  this  is  equivalent  to  the  map  p  :  L  ®z{G)  L  — »  Z (G) 
defined  by  p(x  ®y)  =  x  ■  y  being  an  isomorphism  of  Z(G) -modules.  Further,  L  is 
invertible  if  and  only  if  L  is  G-isomorphic  to  for  some  I  and  w  as  in  Example 

2.18. 

Definition  3.4(iii)  states  that  L/mL  is  a  free  (Z/mZ)(G)-modulc  of  rank  one  for 
all  m  >  0.  Given  an  ideal,  it  is  a  hard  problem  to  decide  if  it  is  principal.  But  checking 
(iii)  of  Definition  3.4  is  easy  algorithmically;  see  Proposition  4.4(ii)  below. 

3.2  Short  vectors 

Definition  3.7  We  will  say  that  a  vector  e  in  an  integral  lattice  L  is  short  if  (e,  e)  = 

1. 

Example  3.8  The  short  vectors  in  the  standard  lattice  of  rank  n  are  the  2 n  signed 
standard  basis  vectors  {(0, . . . ,  0,  ±1,  0, . . . ,  0)}.  Thus,  the  set  of  short  vectors  in  Z (G) 
is  G. 
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Proposition  3.9  Suppose  L  is  an  invertible  G-lattice.  Then: 

(i)  if  e  is  short,  then  {a  E  G  :  ere  =  e}  =  { 1 }/ 

(ii)  if  e  is  short,  then  (e,  ae)  is  1  if  a  —  1,  is  —1  if  a  —  u,  and  is  0  for  all  other  a  E  G; 

(iii)  e  G  L  is  short  if  and  only  if  e  ■  e  —  1,  with  inner  product  ■  defined  in  Definition 
3.2. 

Proof.  Suppose  e  E  L  is  short.  Let  H  =  {a  E  G  :  ae  =  e}.  For  all  a  E  G,  by  the 
Cauchy-Schwarz  inequality  we  have  |(e,  ere) |  <  ((e,  e)(ae,  ae))1/2  =  (e,  e)  =  1,  and 
|  (e,  ere)  |  =  1  if  and  only  if  e  and  ere  lie  on  the  same  line  through  0.  Thus  (e,  ae)  E 
{1,0,— 1}.  Then  (e,ae)  =  1  if  and  only  if  a  E  H.  Also,  (e,  ae)  =  —1  if  and  only  if 
ere  =  — e  if  and  only  if  a  E  Hu.  Otherwise,  (e,  ere)  =  0.  Thus  for  (i,ii),  it  suffices  to 
prove  H  =  {1}. 

Let  T  be  a  set  of  coset  representatives  for  G  mod  H(u)  and  let  S  =  T  ■  H,  a  set 
of  coset  representatives  for  G  mod  ( u ).  If  a  =  'j2a&saaa  E  ( Z/mZ)(G )  is  fixed  by  H, 
then  aTa  =  aa  for  all  a  E  S  and  t  E  H,  so  a  E  (J2reH  r)(Z/mZ)(G). 

Let  m  =  \H\.  By  Definition  3.4(iii),  there  is  a  Z[Lf]-module  isomorphism  L/mh  = 
(Z/mZ)(G).  The  latter  is  a  free  module  over  (Z/mZ)[iL]  with  basis  T.  Since  e+mL  E 
( L/mL)H  we  have  e  =  me i  +  (J2TeH  t)£2  with  E\,e2  E  L.  Since  (e,  te2)  =  (re,  te2)  = 
(e,e2)  for  all  t  E  H,  we  have 

1  =  (e,  e)  =  m(e,  ef)  +  ^^(e,  te2)  =  m(e,  £\  +  e2)  =  0  mod  m. 

t£H 

Thus,  m  —  1  as  desired.  Part  (iii)  follows  directly  from  (ii)  and  Definition  3.2. 

This  enables  us  to  prove  the  following  result. 

Proposition  3.10  Suppose  L  is  a  G-lattice.  Then: 

(i)  if  L  is  invertible,  then  the  map 

{G -isomorphisms  Z (G)  — >  L}  — >  { short  vectors  of  L} 
that  sends  f  to  /( 1)  is  bijective; 

(ii)  if  e  E  L  is  short  and  L  is  invertible,  then  {ae  :  a  E  G}  generates  the  abelian  group 

L; 

(iii)  L  is  G-isomorphic  to  Z (G)  if  and  only  if  L  is  invertible  and  has  a  short  vector; 

(iv)  if  e  E  L  is  short  and  L  is  invertible,  then  the  map  G  — >  {short  vectors  of  L} 
defined  by  a  \-E  a e  is  bijective. 

Proof.  For  (i),  that  /( 1)  is  short  is  clear.  Injectivity  of  the  map  /  i->  /( 1)  follows 
from  Z(G)-linearity  of  G-isomorphisms.  For  surjectivity,  suppose  e  E  L  is  short. 
Proposition  3.9(h)  says  that  {ae}aes  is  an  orthonormal  basis  for  L.  Parts  (ii)  and  (i) 
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now  follow,  where  the  G-isornorphisrri  /  is  defined  by  x  H >  xe  for  all  x  G  Z(G).  Part 
(iii)  follows  from  (i)  and  Example  3.5.  For  (iv),  injectivity  follows  from  Proposition 
3.9(i).  For  surjectivity,  suppose  e'  €  L  is  short.  Take  G-isomorphisms  /  and  f  with 
/( 1)  =  e  and  /'( 1)  =  e'  as  in  (i),  and  let  a  =  /_1  o  /'( 1).  Then  a  is  a  short  vector  in 
Z(G)  such  that  oe  =  eh  By  Example  3.8  we  have  o  G  G. 

3.3  The  Witt-Picard  group 

If  L  and  M  are  invertible  G-lattices,  then  the  Z(G)-modulc  L  <8>z(g>  M  is  a  G-lattice 
with  lifted  inner  product  (. x®v )  -(y<S>w)  =  (x-y)(v-w),  for  all  x,y  G  L  and  v,  w  G  M, 
and  with  lattice  structure  (a,  b)  =  t(a  ■  b)  for  all  a,  b  G  L  ®z(G)  M.  In  the  notation  of 
Example  2.18  we  have 


L(Il,Wl)  ®Z(G)  ^-‘(I\l2,WlW2)l 

where  I\I2  is  the  product  of  ideals. 

Definition  3.11  If  L  is  an  invertible  G-lattice,  let  [L\  denote  its  G-isomorphism 
class,  i.e.,  the  class  of  all  G-lattices  that  are  G-isomorphic  to  L.  We  define  the  Witt- 
Picard  group  of  Z(G)  to  be  the  set  of  all  G-isomorphism  classes  of  invertible  G- 
lattices,  with  group  operation  defined  by  [L]  ■  [M]  =  [L  <8)z(g>  M] ,  with  identity  element 
[Z(G)];  and  with  [ L ]_1  =  [L\. 

The  Witt-Picard  group  is  a  finite  abelian  group.  When  computing  in  the  Witt- 
Picard  group,  one  can  apply  a  lattice  basis  reduction  algorithm  whenever  the  numbers 
get  too  large.  More  precisely,  algorithmically  we  represent  an  invertible  G-lattice  M  by 
letting  M  =  Zn  as  an  abelian  group,  specifying  a  group  homomorphism  G  — »  GL(n,  Z) 
giving  the  action  of  G  on  M,  and  giving  data  describing  the  map  •  :  M  x  M  — y  rLfG)\ 
the  lattice  structure  is  then  given  by  (a,  b)  =  t(a-b )  for  all  a,  b  G  M.  If  A-fi  and  M2  are 
invertible  G-lattices,  mi,  m2  G  Z>0,  and  d{  G  Ml fmlMl  for  i  —  1,2,  one  can  compute 
(Mi  ®z{G)  M2,di  (g)  d2)  in  polynomial  time.  Also,  there  is  a  deterministic  polynomial 
time  algorithm  that,  given  M  and  given  d  G  M/mAI ,  produces  a  pair  (M',  dr)  and  a 
G-isomorphism  (M,  d)  — >  (Mr,  d!)  such  that  the  standard  basis  of  M’  =  Zn  is  LLL- 
reduced  (and  thus  each  entry  of  the  Gram  matrix  is  at  most  2n~1  in  absolute  value, 
by  Lemma  3.12  below).  This  in  fact  proves  the  finiteness  of  the  Witt-Picard  group. 

If  L  —  L(jjlu)  for  some  /  and  w  as  in  Example  2.18,  and  j  G  Z>o,  then  [Lfi  is  the 
G-isomorphism  class  of  One  can  compute  [Lfi  in  deterministic  polynomial 

time  using  an  addition  chain  for  j,  and  LLL-reduc-ing  intermediate  powers  to  prevent 
coefficient  blow-up.  This  takes  the  place  of  the  polynomial  chains  in  §7.4  of  [6]. 

Lemma  3.12  If  {b\, . . . ,  bn}  is  an  LLL-reduced  basis  for  an  integral  unimodular  lat¬ 
tice  L  and  {&*, . . . ,  b*n}  is  its  Gram-Schmidt  orthogonalization,  then 

21~i  <  \b*\2  <  2n~i 
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and  \bi\ 2  <  2”  1  for  all  i  E  { 1, . . . ,  n}. 

Proof.  Being  LLL-reduced  means  that  bi  =  b*  +  with  /iy|  <  |  for  all 

j  <  i  <  n,  and  6* | 2  <  2\b*+1f  for  all  i  <  n.  Thus  for  1  <  j  <  i  <  n  we  have 
b*  | 2  <  2J_*|6*|2,  so  for  all  i  we  have 

21~i\b*1\2  <  \b*\2  <  2n~i\b*n\2. 

Since  L  is  integral  we  have  |&*|2  =  |6i |2  =  (6i,  6i)  >  1,  so  \b*\2  >  21”*.  Letting 
Li  =  ^*=1  Z bj,  then  \b*\  =  det(L,;)/det(Lj_i).  Since  L  is  integral  and  unimodular, 
|6*|  =  det(L„)/det(Ln_1)  =  l/det(Ln_!)  <  1,  so  \b*\-  <  2n~l .  Since  {b*}  is  orthogonal 
we  have 


i- 1 


i—  1 


if>.i2  =  |f>;i2  +  v  4ii,-|2  <  2"-f  +  -  ^  2 


,n-j 


J=1 


i=i 

_  c^n-i  _j_  ^71—2  _  2 n— 2  _|_  2n— ^  2n_1 


3.4  The  extended  tensor  algebra  A 

We  are  now  ready  to  introduce  the  extended  tensor  algebra  A  in  which  our  computa¬ 
tions  take  place.  Suppose  L  is  an  invertible  G-lattice.  Letting  L®°  =  Z (G)  and  letting 

L®m  =  L  ®z{G)  ■  ■  ■  ®z{G)  L  ( m  times)  and  L<s>(~m)  =  L0m  =  L  <S>z(G)  •  •  •  ®z{G)  L  for  all 
m  G  Z>0,  define  the  extended  tensor  algebra 

A  =  0L®’  =  . . .  ©  L03  ©  L02  ©  L  ©  Z(G)  ©  L  ©  L®2  ©  L®3  ©  . . . 

iez 

( “extended”  because  we  extend  the  usual  notion  to  include  negative  exponents 
Each  L is  an  invertible  G'-lattice,  and  represents  [L]1.  For  simplicity,  we  denote  L 
by  LL  The  ring  structure  on  A  is  defined  as  the  ring  structure  on  the  tensor  algebra, 
supplemented  with  the  lifted  inner  product  •.  The  following  result  is  straightforward. 

Proposition  3.13  (i)  A  is  a  commutative  ring  containing  Z (G)  as  a  subring; 

(ii)  the  action  of  G  on  L  becomes  multiplication  in  A,  and  likewise  for  the  action  of 
G  on  L; 

(iii)  A  has  an  involution  x  (->•  x  extending  both  the  involution  of  Z (G)  and  the  map 
L^L; 

(iv)  the  lifted  inner  product  ■  :  L  x  L  — »  Z (G)  becomes  multiplication  in  A; 

(v)  if  e  G  L  is  short,  then  e  =  e in  A  and  A  =  Z(G)[e ,  e-1]. 

All  computations  in  A  and  in  A/mA  will  be  done  with  homogeneous  elements 
only,  where  the  set  of  homogeneous  elements  of  A  is  {JieZ  Ll. 
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4  The  main  ingredients 


We  give  the  main  results  that  we  will  use  to  prove  Theorem  1.1.  Fix  as  before  a  finite 
abelian  group  G  of  order  2 n  and  u  G  G  of  order  2.  Let  k  denote  the  exponent  of  G. 
(The  exponent  of  a  group  H  is  the  least  positive  integer  k  such  that  ak  =  1  for  all 
a  G  H.  The  exponent  of  H  divides  \H\  and  has  the  same  prime  factors  as  \H\.)  For 
all  m  G  Z>i,  denote  by  k(m)  the  exponent  of  the  unit  group  (Z (G)/(m))*. 

Remark  4.1  By  Proposition  3.10,  the  G -isomorphisms  Z (G)  A-  L  are  in  one-to- 
one  correspondence  with  the  short  vectors,  and  if  a  short  e  G  L  exists,  then  the  short 
vectors  of  L  are  exactly  the  2 n  vectors  {ae  :  a  G  G}.  If  k  is  the  exponent  of  G,  then 
(< ae)k  =  akek  =  ek  in  A.  Hence  for  invertible  L,  all  short  vectors  in  L  have  the  same 
k-th  power  ek  G  A.  At  least  philosophically,  it  is  easier  to  find  things  that  are  uniquely 
determined.  We  look  for  ek  first,  and  then  recover  e  from  it. 

Proposition  4.2  There  is  a  deterministic  polynomial  time  algorithm  that,  given  a 
finite  commutative  ring  R  and  an  R-module  M ,  decides  whether  M  is  a  free  R-module 
of  rank  one,  and  if  it  is,  finds  a  generator. 

Proof.  We  sketch  a  proof.  A  complete  proof  will  be  given  in  the  full  version  of  the 
paper. 

The  inputs  are  given  as  follows.  The  ring  R  is  given  as  an  abelian  group  (say,  as 
a  sum  of  cyclic  groups)  along  with  all  the  products  of  pairs  of  generators.  The  finite 
.R-module  M  is  given  as  an  abelian  group  (say,  as  a  sum  of  cyclic  groups),  and  for  all 
generators  of  the  abelian  group  R  and  all  generators  of  the  abelian  group  M,  we  are 
given  the  module  products  in  M. 

If  ffM  ^  4fR,  output  “no”  and  stop. 

Suppose  that  A  and  B  are  finite  commutative  rings,  that  R  -»  Ax  B  is  a  surjective 
ring  homomorphism  with  nilpotent  kernel,  and  that  yB  G  M  is  such  that  the  map 
B  —y  Mb  —  B  <Sir  M,  b  h-g  b  ®  ys  is  an  isomorphism.  Let  /  denote  the  kernel  of 
the  natural  map  R  —y  B  and  let  N  denote  the  image  of  IM  under  the  natural  map 
M  — y  Mj 4. 

Initially,  take  A  =  R,  B  =  0,  and  ys  =  0.  As  long  as  A  ^  0,  do  the  following. 
If  N  —  0,  output  “no”  and  stop.  Otherwise,  pick  xa  G  IM  whose  image  x  G  N 
is  nonzero.  Compute  a  =  Ann^x,  where  Ann^  denotes  the  annihilator  in  A.  Let 
b  =  Arnica. 

If  a  =  a2,  then  A  — >  A/ a  x  A/b  and  Ma  — >  Ma/o  x  M.A/b ■  The  image  of  x  is  of 
the  form  (x',0).  If  x'  does  not  generate  Ma/o.,  stop  with  “no”.  Otherwise,  compute 
/3  G  R  that  maps  to  (0, 1)  under  the  map  R  -»  A  x  B,  and  replace  ys,  B,  A  by 
f3yB  +  xa ,  (A/ a)  x  B ,  A/b,  respectively.  If  a  /  a2,  then  a  0  b  is  a  nonzero  nilpotent 
ideal,  and  we  replace  A  by  A/ (a  fl  b)  and  leave  yB  unchanged. 
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When  A  =  0,  then  /  is  nilpotent;  say  Ir  =  0.  Then  By  =  MB  =  M/IM  for 
y  =  (yB  mod  IM).  Thus, 

M  =  RyB  +  IM  =  RyB  +  I(RyB  +  IM)  =  RyB  +  I2M  =  . . .  =  RyB  +  IrM  =  RyBl 
so  output  “yes” . 

Lemma  4.3  Suppose  that  L  is  a  G-lattice,  m  G  Z>0,  and  e  G  L.  Then 

{ae  +  rriL  :  a  G  G} 

generates  L/mL  as  an  abelian  group  if  and  only  if  L/(Z(G )  ■  e)  is  finite  of  order 
coprime  to  m. 

Proof.  The  set  {ae  +  rriL  :  a  G  G}  generates  L/mL  as  an  abelian  group  if  and  only 
multiplication  by  m  is  onto  as  a  map  from  L/(Z,(G)  ■  e )  to  itself.  Since  L/(Z(G)  •  e) 
is  a  finitely  generated  abelian  group,  this  holds  if  and  only  if  L/(Z(G)  •  e)  is  finite  of 
order  coprime  to  m. 

Proposition  4.4  (i)  There  is  a  deterministic  polynomial  time  algorithm  that,  given 
G,  a  G-lattice  L,  and  m  G  Z>0,  decides  whether  there  exists  em  G  L  such  that 
{aem  +  rriL  :  a  G  G}  generates  L/mL  as  an  abelian  group,  and  if  so,  finds  one. 
(ii)  There  is  a  deterministic  polynomial  time  algorithm  that,  given  G,  u,  and  a  G- 
lattice  L,  decides  whether  L  is  invertible. 

Proof.  For  (i),  apply  Proposition  4.2  with  R  =  Z (G)/(m)  and  M  =  L/mL. 

For  (ii),  it  is  easy  to  check  whether  rank(L)  =  n  and  whether  L  is  unimodular 
(check  whether  the  Gram  matrix  has  determinant  1).  We  need  to  check  Definition 
3.4(iii)  for  all  m’s  in  polynomial  time.  We  show  that  it  suffices  to  check  two  particular 
values  of  m.  First  take  m  =  2,  and  use  (i)  to  determine  if  e2  exists.  If  not,  output  “no” . 
If  there  is  one,  use  (i)  to  compute  e2  G  L.  By  Lemma  4.3,  the  group  L/(h(G)  ■  e 2)  is 
finite  of  odd  order.  Let  q  denote  its  order.  Now  apply  (i)  with  m  =  q.  If  no  eq  exists, 
output  “no” .  If  eq  exists,  then  for  all  m  G  Z>0  there  exists  em  G  L  that  generates 
L/mL  as  a  Z(G)/(m)-module,  as  follows.  We  can  reduce  to  m  being  a  prime  power 
7/',  since  if  gcd (m,m')  =  1  then  L/mm'L  is  free  of  rank  one  over  Z (G)/(mm>)  if  and 
only  if  L/mL  is  free  of  rank  one  over  Z (G)/(m)  and  L/m'L  is  free  of  rank  one  over 
Z (G)/(m').  Lemma  4.3  now  allows  us  to  reduce  to  the  case  m  —  p.  If  p  \  q,  we  can 
take  ep  =  e2.  If  p  \  q,  we  can  take  ep  =  eq. 

Proposition  4.5  There  is  a  deterministic  polynomial  time  algorithm  that,  given  a 
finite  abelian  group  G  of  order  2 n  and  u  G  G  of  order  2,  determines  prime  powers  I 
and  m  such  that  i ,  m  >  2n /2  +  1  and  gcd (k(£),  k(m ))  =  k. 
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Proof.  One  can  prove  that  if  p  is  prime  and  p  =  1  mod  k,  then 

kip1)  =  (p-  iy_1, 

using  induction  on  j  and  the  facts  that  (Z {G)/{p>))*  Z>  (Z/jdZ)*  and  the  latter  group 
has  exponent  ( p  —  1 

We  next  give  an  algorithm  that,  given  n,  k  G  Z>0  with  k  even,  computes  r,  s  G  Z>0 
and  primes  p  and  q  such  that  p  =  q  =  1  mod  k , 

gcd((p  -  l)pr_1,  (g  -  l)g*_1)  =  k, 

pr  >  2n/2  +  1,  and  gs  >  2”/2  +  1.  (We  can  then  take  £  =  pr  and  m  =  qs.)  Try 
p  =  k +  l,2k +  1, 3k +  1,...  until  the  smallest  prime  p  =  1  mod  k  is  found.  Find 
the  least  r  such  that  pr  >  2n/2  +  1.  Try  g  =  p  +  k,p  +  2/c, . . .  until  the  least  prime 
q  =  1  mod  k  such  that  gcd((p  —  l)p,  q  —  1)  =  k  is  found.  Find  the  smallest  s  such 
that  qs  >  2n/2  +  1. 

This  algorithm  terminates,  with  correct  output,  in  time  (n  +  k)°^\  The  key 
ingredient  for  proving  this  is  Heath- Brown’s  version  of  Linnik’s  theorem  [7],  which 
implies  that  the  prime  p  found  by  the  algorithm  satisfies  p  <  ck 5"5  with  an  effective 
constant  c.  li  p  —  1  =  k\k-2  with  every  prime  divisor  of  k\  also  dividing  k  and  with 
gcd(/c2,  k)  =  1,  then  to  have  gcd((p  —  l)p,  q  —  1)  =  k  it  suffices  to  have  q  =  2 
mod  p  and  q  =  1  +  k  mod  k\  and  q  =  2  mod  •  This  gives  a  congruence  q  =  a 
mod  p{p  —  1)  for  some  a.  Heath-Brown’s  version  of  Linnik’s  theorem  implies  that 
q  <  c(p2)5'5  <  c12km'b . 

Our  prime  powers  l  and  m  play  the  roles  that  in  the  Gentry-Szydlo  paper  [6]  were 
played  by  auxiliary  prime  numbers  P,  P'  >  2("+1)/2  such  that 

gcd(P  —  1,  P'  —  1)  =  2  n. 

Our  k(£)  and  kfm )  replace  their  P  —  1  and  P'  —  1,  respectively.  While  the  Gentry- 
Szydlo  primes  P  and  P'  are  found  with  at  best  a  probabilistic  algorithm,  we  can  find 
£  and  m  in  deterministic  polynomial  time.  (Further,  the  ring  elements  they  work  with 
were  required  to  not  be  zero  divisors  modulo  P ,  P'  and  other  small  auxiliary  primes; 
we  require  no  analogous  condition  on  £  and  m,  since  by  Definition  3.4(iii),  when  L  is 
invertible  then  for  all  m,  the  (Z/mZ)(G)-module  L/mL  is  free  of  rank  one.) 

Proposition  4.6  (i)  Suppose  L  is  an  integral  lattice,  3  <  m  G  Z,  and  C  G  L/mL. 

Then  C  contains  at  most  one  element  x  with  (x,x)  =  1. 

(ii)  There  is  a  deterministic  polynomial  time  algorithm  that,  given  a  rank  n  integral 
lattice  L,  m  G  Z  such  that  m  >  2n/2  +  1,  and  C  G  L/mL,  finds  all  x  G  C  with 
(x,x)  =  1  (and  the  number  of  them  is  0  or  1). 
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Proof.  For  (i),  suppose  x,y  G  C,  (x,x)  =  (y,y)  =  1,  and  x  ^  y.  Since  x  —  y  G  rriL 
and  L  is  an  integral  lattice,  we  have 

m  <  (x  —  y,  x  —  y)1/2  <  (x,  x )1//2  +  (y^)1^ 2  =  1  +  1  =  2 

by  the  triangle  inequality.  This  contradicts  m  >  3,  giving  (i). 

For  (ii),  using  LLL  to  solve  the  closest  vector  problem,  one  can  find  (in  polynomial 
time)  y  G  C  such  that  (y,y)  <  (2n  —  l)(a;,a;)  for  all  x  G  C.  Suppose  x  G  C  with 
(x,  x)  =  1.  Since  x,y  G  C,  there  exists  w  G  L  such  that  x  —  y  =  raw.  Then 

: m(w,w )1//2  =  (x  —  y,  x  —  y )1//2  <  (x^x)1^2  +  {y,y)x^2  <  (1  +  2n^2)(x,  x)1^2  <  m. 

Therefore  1  >  (w,tc)1//2  G  Z,  so  w  =  0,  and  thus  y  —  x.  Compute  (y,y).  If  (y,y)  =  1, 
output  y.  If  (y,y)  ^  1,  there  is  no  x  G  C  with  (x,x)  =  1. 

The  n  of  [6]  is  an  odd  prime,  so  k  —  2 n  and  Z (G)  embeds  in  Q(Cn)  x  Q.  Since 
the  latter  is  a  product  of  only  two  number  fields,  the  number  of  zeros  of  X2n  —  v2n 
is  at  most  (2n)2,  and  the  Gentry-Szydlo  method  for  finding  v  from  v2n  is  sufficiently 
efficient.  If  one  wants  to  generalize  [6]  to  the  case  where  n  is  not  prime,  then  the 
smallest  t  such  that  Z (G)  embeds  in  Fi  x  . . .  x  Ft  with  number  fields  Ft  can  be  large. 
Given  u,  the  number  of  zeros  of  Xk  —  v  could  be  as  large  as  k*.  Finding  e  such  that 
v  =  ek  then  requires  a  more  efficient  algorithm,  which  we  attain  with  Proposition  4.9 
below. 

An  order  is  a  commutative  ring  A  whose  additive  group  is  isomorphic  to  Zn  for 
some  n  G  Z>0.  We  specify  an  order  by  saying  how  to  multiply  any  two  vectors  in  a 
given  basis.  Let  y(A)  denote  the  group  of  roots  of  unity  in  A. 

Proposition  4.7  There  is  a  deterministic  polynomial  time  algorithm  that,  given  an 
order  A,  determines  a  set  of  generators  for  y(A). 

Proof.  The  proof  is  a  bit  intricate,  involving  commutative  algebra  and  algorithmic 
algebraic  number  theory.  We  give  a  sketch.  See  [1]  for  commutative  algebra  back¬ 
ground. 

One  starts  by  computing  the  nilradical  N  of  the  Q-algebra  Aq  =  A  Q  as 
well  as  the  unique  subalgebra  E  C  Aq  that  maps  isomorphically  to  Aq/N.  One  has 
/x(A)  C  E,  so  replacing  A  by  A  0  E  one  reduces  to  the  case  in  which  the  nilradical  of 
A  is  0,  which  we  now  assume.  Next  one  determines  the  set  Spec(A)  of  prime  ideals  m 
of  E.  For  each  m  we  compute  E/m,  which  is  an  algebraic  number  field,  and  we  also 
compute  its  subring  A/(m  fl  A).  One  has  E  =  rimeSpec(,E)  -^/m>  and  we  identify  A 
with  a  subring  of  finite  additive  index  in  the  product  ring  B  =  rimeSpec(E)  (m  O  A). 

For  each  prime  number  p  dividing  |/i(A)|  one  has  p  <  1  +  dirriQi?,  so  it  will  suffice 
to  find,  for  each  such  p,  a  set  of  generators  for  the  p-primary  component  y(A)p  of 
p(A).  Fix  now  a  prime  number  p  <  1  +  dirriQif. 
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Since  each  A/ (m  D  A)  is  contained  in  a  number  field,  p(A/( m  fl  A))p  is  cyclic  and 
easy  to  determine.  This  leads  to  a  set  of  generators  for  p(B)p. 

Compute  C  =  {x  G  B  :  plx  G  A  for  some  i  G  Z>0};  this  is  a  subring  of  B  contain¬ 
ing  A.  The  group  C/A  is  finite  of  p-power  order,  and  the  group  B/C  is  finite  of  order 
not  divisible  by  p.  We  make  Spec(-F)  into  the  set  of  vertices  of  a  graph  by  connecting 
m,  n  G  Spec (E)  with  an  edge  if  and  only  if 

(mnC)  +  (nflC)  /  C. 

For  each  connected  component  V  of  this  graph,  determine  the  image  Cy  of  C  in  the 
product  ring  nmev  2l/(m  fl  A).  Then  one  can  show  that  one  has  C  =  Cy,  with  V 
ranging  over  the  connected  components,  so  that  p(C)p  =  /i{Cy)p.  In  addition,  one 
can  show  that  for  each  V  and  each  m  G  V  the  natural  map  fi(Cy)p  — *  p(A/ {mA  A))p 
is  injective,  so  that  p(Cy)p  is  cyclic;  the  proof  also  leads  to  an  efficient  algorithm  for 
computing  p(Cy)p.  Thus,  at  this  point  one  knows  a  set  of  generators  for  fi(C)p. 

To  pass  from  /i(C%  to  p(A)p,  one  starts  by  computing  the  intersection  r  of  all 
maximal  ideals  of  C  that  contain  p,  as  well  as  s  =  r  fl  A.  One  has  y(C)p  C  1  +  r  and 
p(A)p  =  n{C)p  fl  (1  +  s).  To  compute  the  latter  intersection,  one  determines  t  G  Z>0 
with  ptC  C  A  as  well  as  a  presentation  for  the  finite  abelian  p- group  1  +  (r /ptC), 
which  is  a  subgroup  of  the  unit  group  ( C/ptC )*;  to  do  this,  one  uses  that  r /ptC  is 
a  nilpotent  ideal  of  C /ptC.  The  group  p(A)p  is  now  obtained  as  the  kernel  of  the 
natural  map  y(C)p  — »  (1  +  (r/piO))/(l  +  (s /ptC)). 

Proposition  4.8  Suppose  L  is  an  invertible  G-lattice,  r  G  Z>0,  and  v  is  a  short 
vector  in  the  G-lattice  Lr.  Let  A  =  A/[y  —  1).  Identifying  0-Tq  L1  C  A  with  its  image 
in  A,  we  can  view  A  =  0'Z^  Ll  as  a  Z/rZ-graded  ring.  Then: 

(i)  G  C  p{A)  C  UlJo 

(ii)  {e  G  L  :  e  ■  e  =  1}  =  p(A)  fl  L, 

(iii)  |p(t4)|  is  divisible  by  2 n  and  divides  2 nr,  and 

(iv)  there  exists  e  G  L  for  which  e  ■  e  —  1  if  and  only  if  \p(A)\  =  2 nr. 

Proof.  Since  the  ideal  (F—l)  =  (z/-1  —  1)  =  (1 —v)  =  {y— 1),  the  map  aGo  induces  an 
involution  on  A.  Since  the  lattice’s  inner  product  is  symmetric  and  positive  definite, 
for  all  ring  homomorphisms  if  :  A  — y  C  we  have  (a)  =  if  (a)  for  all  a  G  A,  and 
P|  ker  if  =  0.  Let  E  —  {e  G  A  :  ee  —  1},  a  subgroup  of  A*. 

Suppose  e  G  p(A).  Then  for  all  ring  homomorphisms  if  :  A  — »  C  we  have  1  = 
(e)if(e)  =  if(e)if(e)  =  if(ee),  so  ee  =  1.  Thus,  p(A)  C  E. 

Conversely,  suppose  e  G  E.  Write  e  =  £i  with  e*  G  L\  so  e  = 

with  £i  G  L~l  =  Lr~l  in  A.  We  have  1  =  ee  =  YH=o  £i^i  (^ie  degree  0  piece  of 
ee).  Applying  the  map  t  of  Definition  2.9  and  using  (1)  we  have  1  =  (£n £i)- 

It  follows  that  there  exists  j  such  that  {£j,£j}  =  1,  and  e*  =  0  if  i  ^  j.  Thus, 
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E  C  [J'=c|{e  G  Ll  :  (e,  e)  =  1},  giving  (i).  By  Proposition  3.9(iii)  and  Example  3.8  we 
have  ED  Z  (G)  =  G,  so  //(Z  (G))  =  G. 

The  degree  map  from  E  to  Z/rZ  that  takes  e  G  E  to  j  such  that  e  G  E  is  a  group 
homomorphism  with  kernel  EflZ(G)  =  G.  Therefore,  \E\  divides  |G|  ■  |Z/rZ|  =  2 nr. 
Thus,  E  C  fi(A)  C  E,  so  E  =  //(A)  and  we  have  (ii,iii).  The  degree  map  is  surjective 
if  and  only  if  |/x(A)|  =  2 nr,  and  if  and  only  if  1  is  in  the  image,  i.e.,  if  and  only  if 
f-i(A)  fl  L  ^  0.  Part  (iv)  now  follows  from  (ii). 

Proposition  4.9  There  is  a  deterministic  polynomial  time  algorithm  that,  given  G 
of  exponent  k,  an  invertible  G -lattice  L,  and  u  G  Lk,  determines  whether  there  exists 
e  G  L  such  that  v  =  ek  and  e  ■  e  —  1,  and  if  so,  finds  one. 

Proof.  Check  whether  vv  =  1.  If  so,  let  A  =  A/{v  —  1)  and  apply  Proposition  4.7 
to  compute  generators  for  p(A).  Using  Proposition  4.8  with  r  =  k,  apply  the  degree 
map  /i(A)  — y  Z/fcZ  to  the  generators,  check  whether  the  images  generate  Z/fcZ,  and 
if  they  do,  compute  an  element  e  G  /i(A)  whose  image  is  1.  Then  e  G  /i(A)  DL  =  {e  G 
L  :  e  ■  e  —  1}.  Check  whether  v  =  ek .  If  any  step  fails,  no  such  e  exists  (by  Remark 
4.1).  The  algorithm  runs  in  polynomial  time  since  2 nk  <  (2 n)2. 


5  The  Algorithm 

We  present  the  main  algorithm,  followed  by  a  fuller  explanation.  As  before,  k  is  the 
exponent  of  the  group  G  and  k(j)  is  the  exponent  of  (Z (G)/(j))*  if  j  G  Z>i. 

Algorithm  5.1  Input  a  finite  abelian  group  G,  an  element  u  G  G  of  order  2,  and  a 
G-lattice  L.  Output  a  G-isomorphism  Z (G)  L,  or  a  proof  that  none  exists. 

(i)  Apply  Proposition  4-4(H)  1°  check  whether  L  is  invertible.  If  it  is  not,  terminate 
with  “no”. 

Find  t  and  m  as  in  Proposition  4-5. 

Compute  eim  as  in  Proposition  4-4(i). 

Using  an  addition  chain  for  k(m)  and  the  algorithms  mentioned  in  $3.3,  compute 
the  pair  [Lk^rn\e\^f>  +  mL^W).  Use  Proposition  4-  6(H)  to  decide  whether  the 
coset  e’llff'  +  mLk(m'>  contains  a  short  vector  vm  G  Lk^m\  and  if  so,  compute  it. 
Terminate  with  “no”  if  none  exists. 

Compute  s  G  ((Z/t'Z )(G))*  such  that 


(hi) 

(iv) 


v 


I'm  =  s(eke^  +  ak^) 

in  Lk{E>  IILk(E). 

(vi)  Use  the  extended  Euclidean  algorithm  to  find  b  G  Z  such  that 


bk(m )  =  k  mod  k(£). 
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(vii)  Using  an  addition  chain  for  k  and  the  algorithms  mentioned  in  $3.3,  compute  the 
pair  ( Lk ,  ekm  +  £Lk )  and  compute  sb(ekm  +  £Lk).  Use  Proposition  4.6(H)  to  decide 
whether  the  latter  coset  contains  a  short  vector  v  G  Lk ,  and  if  so,  compute  it. 
Terminate  with  “no”  if  none  exists. 

(viii)  Apply  Proposition  4-9  to  find  e  G  L  such  that  u  =  ek  and  e  ■  e  —  1  (or  to  prove 
there  is  no  G -isomorphism). 

We  explain  the  algorithm  in  more  detail.  By  Proposition  3. 10 (iii) ,  the  G'-lattice  L 
is  G'-isomorphic  to  Z(G)  if  and  only  if  L  is  invertible  and  has  a  short  vector.  Run  the 
algorithm  in  Proposition  4.4(ii)  to  check  whether  L  is  invertible.  If  it  is  not,  terminate 
with  “no”.  If  it  is,  we  look  for  an  e  G  L  such  that  ee  =  1.  Lattice  basis  reduction 
algorithms  such  as  LLL  can  find  fairly  short  vectors,  but  they  are  not  nearly  short 
enough  for  our  purpose.  We  supplement  LLL  with  computations  modulo  m.  Any  short 
e  satisfies  Z (G)e  =  L,  which  implies  that  for  all  m  G  Z>o,  the  coset  e  +  mL  generates 
L/mL  as  a  Z(G)/(m)-modulc.  Proposition  4.4(i)  gives  another  generator  em.  Thus, 
em  =  ye  for  some  y  G  (Z (G)/(m))*.  We  have  em"’*  mod  m  =  ek^9  mod  m  in  AjmA. 
Apply  Proposition  4.5  to  find  prime  powers  m,£  >  2"/2  +  1  such  that 

gcd(/c(£),  k(m))  =  k. 

Compute  etm  (which  works  as  both  em  and  ef)  as  in  Proposition  4.4(i).  Proposition 
4.6(h)  applied  to  the  coset  e^m  +  rnLki'm'1  G  Lfc(m)/mLfc (m)  finds  a  short  vector  um  (if 
it  exists).  If  e  G  L  is  short,  then  um  =  by  Proposition  4.6(i). 

Since  e^(n)  (by  definition)  and  um  (by  Proposition  3.10(h))  each  generate  the 
(Z/£Z)(G')-module  we  can  find  s  G  ((Z/£Z ){G))*  such  that  vm  = 

s(e>£m  +  £Lk('m'l)  in  Lfc(m)/£Lfc(m).  Since  k  =  gcd (k(£),  k(m)),  we  can  use  the  ex¬ 
tended  Euclidean  algorithm  to  find  a,  6  G  Z  such  that  ak(£)  +  bk(m)  =  k.  Com¬ 
pute  sb  G  ((Z/£Z)(G))*  and  sbekm  G  Lk / iLk  and  use  Proposition  4.6(h)  to  compute 
a  short  v  G  Lk  in  this  coset  or  prove  that  none  exists.  If  e  G  L  is  short,  then 
ek{m)  _  =  se mod  £A,  so  ek  =  ^(e^)“  =  sbekm  mod  £A,  so  sb(ekm  +  iLk ) 

contains  the  short  vector  ek  of  Lk,  and  by  Proposition  4.6(i)  we  have  v  =  ek .  Proposi¬ 
tion  4.9  then  finds  a  short  vector  e  G  L ,  or  proves  none  exists.  The  map  x  i-G  xe  gives 
the  desired  G'-isomorphism  from  Z (G)  to  L.  This  completes  the  proof  of  Theorem  1.1. 

Remark  5.2  There  is  a  version  of  the  algorithm  in  which  checking  invertibility  in 
step  (i)  is  skipped.  In  this  case,  the  algorithm  may  misbehave  at  other  points,  indicating 
that  L  is  not  invertible  and  thus  not  G-isomorphic  to  X(G).  At  the  end  one  would 
check  whether  ( e,e )  =  1  and  (e,ae)  =  0  for  all  a  ^  l,u.  If  so,  then  {ae}aGs  is  an 
orthonormal  basis  for  L,  and  x  1— »  xe  gives  the  desired  isomorphism;  if  not,  no  such 
isomorphism  exists. 
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DETERMINING  CYCLICITY  OF  FINITE  MODULES 


H.  W.  LENSTRA,  JR.  AND  A.  SILVERBERG 


Abstract.  We  present  a  deterministic  polynomial-time  algorithm  that  determines 
whether  a  finite  module  over  a  finite  commutative  ring  is  cyclic,  and  if  it  is,  outputs 
a  generator. 


1.  Introduction 

If  R  is  a  commutative  ring,  then  an  if- module  M  is  cyclic  if  there  exists  y  €  M 
such  that  M  =  Ry. 

Theorem  1.1.  There  is  a  deterministic  polynomial-time  algorithm  that,  given  a  finite 
commutative  ring  R  and  a  finite  R-module  M ,  decides  whether  there  exists  y  G  M 
such  that  M  =  Ry,  and  if  there  is,  finds  such  a  y. 

We  present  the  algorithm  in  Algorithm  4.1  below.  The  inputs  are  given  as  follows. 
The  ring  R  is  given  as  an  abelian  group  by  generators  and  relations,  along  with  all 
the  products  of  pairs  of  generators.  The  finite  R-module  M  is  given  as  an  abelian 
group,  and  for  all  generators  of  the  abelian  groups  R  and  all  generators  of  the  abelian 
group  M  we  are  given  the  module  products  in  M. 

Our  algorithm  depends  on  R  being  an  Artin  ring,  and  should  generalize  to  finitely 
generated  modules  over  any  commutative  Artin  ring  that  is  computationally  accessi¬ 
ble. 

Theorem  1.1  is  one  of  the  ingredients  of  our  work  [4,  5]  on  lattices  with  symmetry, 
and  a  sketch  of  the  proof  is  contained  in  [4],  Previously  published  algorithms  of  the 
same  nature  appear  to  restrict  to  rings  that  are  algebras  over  fields.  Subsequently  to 
[4],  I.  Ciocanea-Teodorescu  [2],  using  different  and  more  elaborate  techniques,  greatly 
generalized  our  result,  dropping  the  commutativity  assumption  on  the  finite  ring  R 
and  finding,  for  any  given  finite  R-module  M,  a  set  of  generators  for  M  of  smallest 
possible  size. 

See  Chapter  8  of  [1]  for  commutative  algebra  background.  For  the  purposes  of  this 
paper,  commutative  rings  have  an  identity  element  1,  which  may  be  0. 

Key  words  and  phrases,  algebraic  algorithms,  finite  rings,  cyclic  modules. 
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2.  Lemmas  on  commutative  rings 


If  R  is  a  commutative  ring  and  a  is  an  ideal  in  R ,  let  Ann^a  denote  the  annihilator 
of  a  in  R.  We  will  use  that  every  finite  commutative  ring  is  an  Artin  ring,  that  every 
Artin  ring  is  isomorphic  to  a  finite  direct  product  of  local  Artin  rings,  and  that  the 
maximal  ideal  in  a  local  Artin  ring  is  always  nilpotent. 

Lemma  2.1.  If  A  is  a  local  Artin  ring,  a  is  an  ideal  in  A,  and  a 2  =  a,  then  a  is  0 
or  A. 

Proof.  If  a  contains  a  unit,  then  a  =  A.  Otherwise,  a  is  contained  in  the  maximal 
ideal  m,  which  is  nilpotent.  Thus  there  is  an  r  E  Z> o  such  that  mr  =  0.  Now 
a  =  a2  =  ■■■  =  ar  C  mr  =  0.  □ 

Lemma  2.2.  Suppose  that  A  is  a  finite  commutative  ring,  a  is  an  ideal  in  A,  b  = 
Arnica,  and  a  n  b  =  0.  Then: 

(i)  a2  =  a; 

(ii)  there  is  an  idempotent  e  E  A  such  that  a  =  eA,  b  =  (1  —  e)A,  and  A  = 
(1  —  e)A  ©  eA  =  b  ©  a; 

(iii)  if  b  =  0  then  a  =  A. 

Proof.  Write  A  as  a  finite  direct  product  of  local  Artin  rings  A\  x  •  •  •  x  As.  Then  a 
is  a  direct  product  a\  x  •  •  •  x  as  of  ideals  cq  C  A*.  Assume  a 2  R  a.  Then  there  is  an 
%  such  that  a2  R  oq.  Let  =  Ann^cq.  Since  a  fl  b  —  0,  it  follows  that  cq  n  bt  =  0. 
Since  Aj  is  a  local  ring,  is  contained  in  the  maximal  ideal  of  A,,  so  a,  is  nilpotent. 
Let  r  denote  the  smallest  positive  integer  such  that  a\  =  0.  Since  a;  /  0  we  have 
r  >  2.  Then  afR1  is  contained  in  at  and  kills  a^,  so  0  R  arRl  C  a8  fl  b ,  =  0,  a 
contradiction.  This  gives  (i). 

Since  A  is  a  finite  product  of  local  Artin  rings,  a  is  generated  by  an  idempotent  e, 
by  Lemma  2.1.  Then  b  =  (1  —  e)A  and  A  =  (1  —  e)A  ©  eA  =  b  ©  a.  This  gives  (ii) 
and  (iii).  □ 


3.  Preparatory  lemmas 

If  R  is  a  commutative  ring,  then  a  commutative  A-algebra  is  a  commutative  ring 
A  equipped  with  a  ring  homomorphism  from  R  to  A.  Whenever  A  is  an  A-algebra, 
we  let  Ma  denote  the  A-module  A  M. 

From  now  on,  suppose  R  is  finite  commutative  ring  and  M  is  a  finite  A-module. 
Let  S  denote  the  set  of  quadruples  (A,  B,y,  N)  such  that: 

(i)  A  and  B  are  finite  commutative  A-algebras  for  which  the  natural  map  /  : 
R  A  x  B  is  surjective  and  has  nilpotent  kernel, 

(ii)  y  E  M  is  such  that  the  map  B  — >■  Mb  =  B  ©#  M  defined  by  b  (->•  b  ©  y  is  an 
isomorphism  and  such  that  1  ©  y  —  0  in  Ma, 

(iii)  and  A^  is  a  submodule  of  M  such  that  the  natural  map  N  — >  Ma  defined  by 
z  i— y  1  ©  z  is  onto  and  such  that  the  natural  map  N  -E  M B  is  the  zero  map. 
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In  Algorithm  4.1  below,  initially  we  take  (A,  B ,  y,  N )  =  (. R ,  0, 0,  M).  Clearly,  (. R ,  0,  0,  M)  G 
S.  Throughout  that  algorithm,  we  always  have  (A,  B,y,  N)  G  S.  While  A  and  B 
occur  in  the  proof  of  correctness  of  Algorithm  4.1,  the  A-algebra  B  does  not  actually 
occur  in  the  algorithm  itself. 

Lemma  3.1.  If  (A,  B ,y,  N)  G  S  and  Ma  =  0,  then  M  =  Ry. 

Proof.  Let  J  denote  the  kernel  of  /  :  R  -»  A  x  B,  and  let  I  a  (resp.  j  Ib)  denote  the 
kernel  of  the  composition  of  /  with  projection  from  Ax  B  onto  A  (resp.,  B ).  Since  J 
is  nilpotent  we  have  Jr  =  0  for  some  r  G  Z>0.  Since  0  =  Ma  =  A®rM  =  ( R/Ia )  ®r 
M  =  M/IaM  it  follows  that  I aM  =  M  Since  JM  C  IbM  =  IbIaM  C  (. IbCIa)M  = 

JM,  it  follows  that  JM  =  IbM.  Letting  if  =  (y  mod  IbM)  G  M/IbM,  then 
Mb  =  M/ IbM  =  By'.  Thus, 

M  =  Ry  +  IbM  =  Ry  +  JM  =  Ry  +  J(Ry  +  JM) 

=  Ry+  J2M  —  ...  —  Ry  +  JrM  =  Ry. 

□ 

Lemma  3.2.  Suppose  (A,  B,y,  N)  G  5  and  Ma  ^  0.  Then  there  exists  x  G  N  such 
that  1  x  0  in  Ma-  Choosing  x  and  letting  a  =  Ann^(l  ©  x)  and  b  =  Auriga,  we 
have: 

(i)  (A/(aAb),B,y,N)eS- 

(ii)  If  a  fl  b  =  0  and  (A/ a)  ®  x  —  Ma/o, .  (A/ a)  x  S,  x  +  7/,  aiV)  G  5, 

w/jere  aiV  denotes  f~l(a  x  £>)Ah 

(iii)  If  a  fl  b  =  0  and  (A/a)  ®  x  Ma/o.,  then  M  is  not  cyclic. 

Proof.  Since  the  map  N  — *  Ma,  z  H >  1  <8)  z  is  onto,  as  long  as  Ma  ^  0  there  exists 
x  G  N  such  that  1  (8)  x  ^  0  in  Ma- 

Since  ab  =  0,  we  have  (a  fl  b)2  =  0,  so  a  fl  b  is  a  nilpotent  ideal  in  A.  It  follows 
that  (A/  (a  fl  6),  B,  y,  N)  G  S,  giving  (i). 

From  now  on,  suppose  that  aflb  =  0.  By  Lemma  2.2,  there  is  an  idempotent  e  G  A 
such  that  a  =  eA,  b  =  (1  —  e)A,  and  A  =  (1  —  e)A  ©  eA  =  b  ©  a.  It  follows  that 
A  Jf-  A/a  x  A/b ,  so  Ma  — >  Ma/o.  x  Af f/b ■  If  (x',  x")  is  the  image  of  1  ©  a:  under  the 
latter  map,  then  x"  =  0  (we  have  bx"  =  0  since  x"  G  (A/b)  M,  and  ax"  =  0  since 
a(  1  ©  x)  =  0;  thus  Ax"  =  (a  +  b)x"  =  0,  so  x"  =  0).  The  map  ia  :  A/a  -A-  Ma/o, 
defined  by  ia(t)  =  tx'  =  t  ©  x  is  injective  since  Aiu\A/ax'  =  0. 

First  suppose  (A/a)  ©  x  =  Ma/o-  Then  the  injective  map  ia  is  an  isomorphism. 
Since  0  =  x"  =  1^/6  ©  x,  we  have  1  ©  (x  +  y)  —  0  in  Ma/w  It  is  now  easy  to  check 
that  (A/b,  (A/a)  x  B,x  +  y,aN)  G  S ,  giving  (ii).  Note  that  b  0  (if  b  =  0,  then 
a  =  A  by  Lemma  2.2,  contradicting  that  1  ©  x  ^  0  in  Ma). 

Now  suppose  that  (A/a)  ©  x  Ma/o-  By  way  of  contradiction,  suppose  M  is  a 
cyclic  A-module.  Then  Ma/o,  is  a  cyclic  A/a-module.  Since  the  domain  and  codomain 
of  ia  :  A/a  »  Ma/0  are  both  finite,  it  now  follows  that  ia  is  surjective,  so  (A/a)®x  = 

M a/ a-  This  contradiction  gives  (iii).  □ 
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The  intuition  behind  Algorithm  4.1  is  that  throughout  the  algorithm,  y  generates 
the  “non- A  part”  of  M,  and  the  goal  is  to  shrink  the  “A-part”  of  M,  namely  N. 

4.  Main  algorithm 

Algorithm  4.1.  Input  a  finite  commutative  ring  R  and  a  finite  A-module  M.  Decide 
whether  there  exists  y  €  M  such  that  M  =  Ry,  and  if  there  is,  find  such  a  y. 

(i)  Initially,  take  A  =  R,  y  =  0,  and  N  =  M. 

(ii)  If  Ma  =  0,  stop  and  output  “yes”  with  generator  y. 

(iii)  Otherwise,  pick  x  G  N  such  that  1  ®  x  ^  0  in  MA,  and  compute  a  = 
AnnJ4(l  <E>  x),  b  =  Arm^a,  and  a  D  b. 

(iv)  If  a  D  b  0,  replace  A  by  A/(a  fl  b)  and  go  back  to  step  (ii). 

(v)  If  aDb  =  0,  then  if  ( A/a)®x  MA/a  terminate  with  “no”,  and  if  ( A/a)®x  = 
M A/ a  replace  A,  y ,  and  N  by  A/b,  x  +  y,  and  aN,  respectively,  and  go  back 
to  step  (ii). 

Proposition  4.2.  Algorithm  4-1  runs  in  polynomial  time,  and  on  input  a  finite  com¬ 
mutative  ring  R  and  a  finite  R-module  M ,  decides  whether  there  exists  y  e  M  such 
that  M  =  Ry,  and  if  there  is,  finds  such  a  y. 

Proof.  Since  A  is  a  finite  ring,  if  the  algorithm  does  not  stop  with  “no”  then  eventually 
A  =  0  and  MA  =  0.  Step  (ii)  of  the  algorithm  is  justified  by  Lemma  3.1,  while  steps 
(iii),  (iv),  and  (v)  are  justified  by  Lemma  3.2. 

The  computations  of  annihilators  and  of  the  decompositions  A  A/a  x  A/b  can 
be  done  in  polynomial  time  using  linear  algebra  (see  §14  of  [3]);  in  particular,  a  is 
the  kernel  of  the  map  A  — y  MA  defined  by  t  eA  f(l  ®  x).  For  any  B,  compute  Mb  by 
computing  M/IbM  (and  analogously  for  MA ) .  Each  new  A  is  at  most  half  the  size 
of  the  A  it  replaces.  This  implies  that  the  number  of  steps  is  at  most  linear  in  the 
length  of  the  input.  □ 
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LATTICES  WITH  SYMMETRY 


H.  W.  LENSTRA,  JR.  AND  A.  SILVERBERG 


Abstract.  For  large  ranks,  there  is  no  good  algorithm  that  decides  whether  a 
given  lattice  has  an  orthonormal  basis.  But  when  the  lattice  is  given  with  enough 
symmetry,  we  can  construct  a  provably  deterministic  polynomial-time  algorithm  to 
accomplish  this,  based  on  the  work  of  Gentry  and  Szydlo.  The  techniques  involve 
algorithmic  algebraic  number  theory,  analytic  number  theory,  commutative  algebra, 
and  lattice  basis  reduction. 


1.  Introduction 

Let  G  be  a  finite  abelian  group  and  let  u  G  G  be  a  fixed  element  of  order  2.  Define 
a  G-lattice  to  be  an  integral  lattice  L  with  an  action  of  G  on  L  that  preserves  the 
inner  product,  such  that  u  acts  as  —1.  The  standard  G'-lattice  is  the  modified  group 
ring  Z (G)  =  Z[G]/(u  +  l),  equipped  with  a  natural  inner  product;  we  refer  to  Sections 
2,  5,  and  6  for  more  precise  definitions.  Our  main  result  reads  as  follows: 

Theorem  1.1.  There  is  a  deterministic  polynomial-time  algorithm  that,  given  a  finite 
abelian  group  G  with  an  element  u  of  order  2,  and  a  G -lattice  L,  decides  whether  L 
and  7L (G)  are  isomorphic  as  G-lattices,  and  if  they  are,  exhibits  such  an  isomorphism. 

We  call  a  G-lattice  L  invertible  if  it  is  unimodular  and  there  is  a  Z(G)-module  M 
such  that  L  ®z(g>  M  and  Z (G)  are  isomorphic  as  Z(G')-modules  (see  Definition  9.5 
and  Theorem  11.1).  For  example,  the  standard  G-lattice  is  invertible.  The  following 
result  is  a  consequence  of  Theorem  1.1. 

Theorem  1.2.  There  is  a  deterministic  polynomial-time  algorithm  that,  given  a  finite 
abelian  group  G  equipped  with  an  element  of  order  2,  and  invertible  G-lattices  L  and 
M,  decides  whether  L  and  M  are  isomorphic  as  G-lattices,  and  if  they  are,  exhibits 
such  an  isomorphism. 

Key  words  and  phrases,  lattices,  Gentry-Szydlo  algorithm,  ideal  lattices,  lattice-based  crypto¬ 
graphy. 

This  material  is  based  on  research  sponsored  by  DARPA  under  agreement  numbers  FA8750-11- 
1-0248  and  FA8750-13-2-0054  and  by  the  Alfred  P.  Sloan  Foundation.  The  U.S.  Government  is 
authorized  to  reproduce  and  distribute  reprints  for  Governmental  purposes  notwithstanding  any 
copyright  notation  thereon.  The  views  and  conclusions  contained  herein  are  those  of  the  authors 
and  should  not  be  interpreted  as  necessarily  representing  the  official  policies  or  endorsements,  either 
expressed  or  implied,  of  DARPA  or  the  U.S.  Government. 
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the  2013  Workshop  on  Lattices  with  Symmetry.  An  extended  abstract  [7]  appears  in  the  Proceedings 
of  Crypto  2014. 
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Deciding  whether  two  lattices  are  isomorphic  is  a  notorious  problem.  Our  results 
show  that  it  admits  a  satisfactory  solution  if  the  lattices  are  equipped  with  sufficient 
structure. 

Our  algorithms  and  runtime  estimates  draw  upon  an  array  of  techniques  from 
algorithmic  algebraic  number  theory,  commutative  algebra,  lattice  basis  reduction, 
and  analytic  number  theory. 

An  important  ingredient  to  our  algorithm  is  a  powerful  novel  technique  that  was 
invented  by  C.  Gentry  and  M.  Szydlo  in  Section  7  of  [3].  We  recast  their  method  in 
the  language  of  commutative  algebra,  replacing  the  “polynomial  chains”  that  they 
used  to  compute  powers  of  ideals  in  certain  rings  by  tensor  powers  of  modules.  A 
number  of  additional  changes  enabled  us  to  obtain  a  deterministic  polynomial-time 
algorithm,  whereas  the  Gentry-Szydlo  algorithm  is  at  best  probabilistic. 

The  technique  of  Gentry  and  Szydlo  has  seen  several  applications  in  cryptography, 
as  enumerated  in  [7].  By  placing  it  in  an  algebraic  framework,  we  have  already 
been  able  to  generalize  the  method  significantly,  replacing  the  rings  Z[A"]/(A"n  —  1) 
(with  n  an  odd  prime)  used  by  Gentry  and  Szydlo  by  the  larger  class  of  modified 
group  rings  that  we  defined  above,  and  further  extensions  appear  to  be  possible. 
In  addition,  we  hope  that  our  reformulation  will  make  it  easier  to  understand  the 
method  and  improve  upon  it.  This  should  help  to  make  it  more  widely  applicable  in 
a  cryptographic  context. 

The  structure  of  the  paper  is  as  follows.  Sections  2-4  contain  background  on 
integral  lattices.  In  particular,  we  derive  a  new  bound  for  the  entries  of  a  matrix 
describing  an  automorphism  of  a  unimodular  lattice  with  respect  to  a  reduced  basis 
(Proposition  3.4).  Sections  5-7  contain  basic  material  about  G'-lattices  and  modified 
group  rings.  Important  examples  of  G'-lattices  are  the  ideal  lattices  introduced  in 
Section  8.  In  Sections  9-11  we  begin  our  study  of  invertible  G'-lattices,  giving  several 
equivalent  definitions  and  an  algorithm  for  recognizing  invertibility.  Section  12  is 
devoted  to  the  following  pleasing  result:  a  G-lattice  is  G'-isomorphic  to  the  standard 
one  if  and  only  if  it  is  invertible  and  has  a  vector  of  length  1.  In  Sections  13-14  we 
show  how  to  multiply  invertible  G'-lattices  and  we  introduce  the  Witt-Picard  group 
of  Z(G),  of  which  the  elements  correspond  to  G'-isomorphism  classes  of  invertible  G- 
lattices.  It  has  properties  reminiscent  of  the  class  group  in  algebraic  number  theory;  in 
particular,  it  is  a  finite  abelian  group  (Theorems  14.2  and  14.5).  We  also  show  how  to 
do  computations  in  the  Witt-Picard  group.  In  Section  15  we  treat  the  extended  tensor 
algebra  A,  which  is  in  a  sense  the  hero  of  story:  it  is  a  single  algebraic  structure  that 
comprises  all  rings  and  lattices  occurring  in  our  main  algorithm.  Section  16  shows 
how  A  can  be  used  to  assist  in  finding  vectors  of  length  1.  In  Section  17  we  use 
Linnik’s  theorem  from  analytic  number  theory  in  order  to  find  auxiliary  numbers  in 
our  main  algorithm,  and  our  main  algorithm  is  presented  in  Section  18. 

For  the  purposes  of  this  paper,  commutative  rings  have  an  identity  element  1,  which 
may  be  0.  If  R  is  a  commutative  ring,  let  R*  denote  the  group  of  elements  of  R  that 
have  a  multiplicative  inverse  in  R. 
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2.  Integral  lattices 

We  begin  with  some  background  on  lattices  and  on  lattice  automorphisms  (see  also 

[6])- 

Definition  2.1.  A  lattice  or  integral  lattice  is  a  finitely  generated  abelian  group 
L  with  a  map  (•,•):  Lx  I->  Z  that  is 

•  bilinear:  ( x ,  y  +  z)  =  ( x ,  y)  +  ( x ,  z)  and  ( x  +  y,  z)  =  (x,  z)  +  (y,  z)  for  all 
x,y,z  e  L, 

•  symmetric:  (x,  y)  =  (y,  x)  for  all  x,  y  G  L,  and 

•  positive  definite:  (x,  x)  >  0  if  0  ^  x  G  L. 

As  a  group,  L  is  isomorphic  to  Zn  for  some  n  G  Z>o,  which  is  called  the  rank 
of  L  and  is  denoted  rank(L).  In  algorithms,  a  lattice  is  specified  by  a  Gram  matrix 
(( bi ,  bj))™j=1  associated  to  a  Z-basis  {b\,. . . ,  bn }  and  an  element  of  a  lattice  is  specified 
by  its  coefficient  vector  on  the  same  basis.  The  inner  product  ( • ,  • )  extends  to  a  real¬ 
valued  inner  product  on  L  (£)Z  R.  and  makes  L  M  into  a  Euclidean  vector  space. 

Definition  2.2.  The  standard  lattice  of  rank  n  is  Zn  with  ( x,y )  =  XiVi-  Its 
Gram  matrix  is  the  n  x  n  identity  matrix. 

Definition  2.3.  The  determinant  det(L)  of  a  lattice  L  is  the  determinant  of  the 
Gram  matrix  of  L;  equivalently,  det(L)  is  the  order  of  the  cokerncl  of  the  map  L  — > 
Hom(L,Z),  x  K y  (y  H >  (x,y)).  A  lattice  L  is  unimodular  if  this  map  is  bijective, 
i.e. ,  if  det(L)  =  1. 

Definition  2.4.  An  isomorphism  L  M  of  lattices  is  a  group  isomorphism  tp  from 
L  to  M  that  respects  the  lattice  structures,  i.e.,  (y>(x),  p>(y))  =  {x,y)  for  all  x,y  G  L. 
If  such  a  map  ip  exists,  then  L  and  M  are  isomorphic  lattices.  An  automorphism 
of  a  lattice  L  is  an  isomorphism  from  L  to  itself.  The  set  of  automorphisms  of  L  is  a 
finite  group  Aut(L)  whose  center  contains  —1. 

In  algorithms,  isomorphisms  are  specified  by  their  matrices  on  the  given  bases  of 
L  and  M. 

Examples  2.5. 

(i)  “Random”  lattices  have  Aut(L)  =  {±1}. 

(ii)  Letting  Sn  denote  the  symmetric  group  on  n  letters  and  x  denote  semidirect 
product,  we  have  Aut(Zn)  =  {±l}n  x  Sn.  (The  standard  basis  vectors  can 
be  permuted,  and  signs  changed.) 

(iii)  If  L  is  the  equilateral  triangular  lattice  in  the  plane,  then  Aut(L)  is  the 
symmetry  group  of  the  regular  hexagon,  which  is  a  dihedral  group  of  order 
12. 


3.  Reduced  bases  and  automorphisms 

The  main  result  of  this  section  is  Proposition  3.4,  in  which  we  obtain  some  bounds 
for  LLL-reduced  bases  of  unimodular  lattices.  We  will  use  this  result  to  give  bounds  on 
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the  complexity  of  our  algorithms  and  to  show  that  the  Witt-Picard  group  (Definition 
14.1  below)  is  finite.  If  L  is  a  lattice  and  a  G  L  M,  let  |a|  =  (a,  a)1/2. 

Definition  3.1.  If  {61 , . . . ,  bn}  is  a  basis  for  a  lattice  L,  and  {bl, . . . ,  b*n }  is  its  Gram- 
Schmidt  orthogonalization,  and  bj  =  b*  +  with  /pj  G  M,  then  {6i, . . . ,  bn} 

is  LLL-reduced  if 

(i)  | /%  <  ^  for  all  j  <  i  <  n,  and 

(ii)  |  b*  | 2  <  2|6*+1|2  for  all  i  <  n. 

Remark  3.2.  The  LLL  basis  reduction  algorithm  [5]  takes  as  input  a  lattice,  and 
produces  an  LLL-reduced  basis  of  the  lattice,  in  polynomial  time. 


Lemma  3.3.  If  a  =  {nij)ij  G  M(n,M)  is  a  lower-triangular  real  matrix  with  nu  =  1 
for  all  i  and  <1/2  for  all  j  <  i,  and  a-1  =  (i'ij)ij,  then 
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Proof.  Define  e  G  M(n,  M)  by  el3  =  0  if  j  >  i  and  et3  =  |  if  j  <  i.  Define  h  G  M(n,  M) 
by  hi+iti  =  1  for  i  =  1, . . . ,  n  —  1  and  hij  =  0  otherwise.  Then  e  =  YffjLx  • 
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which  has  ij  entry  0  if  i  <  j,  and  1  if  i  =  j,  and  |  (|)?  3  if  i  >  j. 

Since  en  =  0  =  (1  —  a)n,  we  have  (1  —  e)-1  =  el  and  a-1  =  ^■!T01(1  —  a)1.  If 
c  =  (cij)ij  G  M(n,  M),  let  |c|  denote  (|Qy|)jj.  If  c,  d  G  M(n,  M),  then  c  <  d  means  that 
Cij  <  di3  for  all  i  and  j.  We  have  |a_1|  <  |1  —  a|*  <  e*  =  (1  —  e)-1.  This 

gives  the  desired  result.  □ 


Proposition  3.4.  If  {bi, ^  bn}  is  an  LLL-reduced  basis  for  an  integral  unimodular 
lattice  L  and  {&);, . . . ,  b*n }  is  its  Gram-Schmidt  orthogonalization,  then 

(i)  21_i  <  |6*|2  <  2n~i, 

(ii)  |6,;|2  <  2n_1  for  all  i  G  {1, . . . ,  n}, 

(iii)  j  (bi,  bj)  |  <  2n~ 1  for  all  i  arid  j, 
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(iv)  if  a  e  Aut(L),  and  for  each  i  we  have  cr(6j)  =  Y^j=\  aijbj  with  aij  £  Zk  t/ien 
|ay|  <  3"-1  for  all  i  and  j . 

Proof.  It  follows  from  Definition  3.1  that  for  all  1  <  j  <  i  <  n  we  have  |6*|2  < 
2J_i|6*|2,  so  for  all  i  we  have 

21“i|6*|2  <  |6*|2  <  2”-i|6*|2. 

Since  L  is  integral  we  have  |frf|2  =  {bf  -  =  (61,61)  >  1,  so  6* | 2  >  21_L  Letting 
Li  —  we  have  |6*|  =  det(Lj)/det(Lj_i).  Since  L  is  integral  and  unimodular, 

|6* |  =  det(Ln)/det(Ln_i)  =  l/det(Ln_i)  <  1,  so  |6*|  <  2n~\  giving  (i). 

Since  {6*}  is  orthogonal  we  have 


i—  1 


i—  1 


n-j 


3= 1 


1=1 

_ 2 n— i  _|_  ^2n— 2 _ 2n_i_1 ) _ 2n_2  -)-  2n_*_1  <c  2n_1 


giving  (ii).  Now  (iii)  follows  by  applying  the  Cauchy- Schwarz  inequality  |(6j,  6j)|  < 
|6i||6j|  and  (ii). 

For  (iv),  define  {ci, . . . ,  cn}  to  be  the  basis  of  L  that  is  dual  to  {61, . . . ,  6„},  i.e., 
( Ci,bj )  =  Sij  for  all  i  and  j,  where  8l3  is  the  Kronecker  delta  symbol.  Then  aVJ  = 
(cj,a(bi))  so 

(3.5)  | ay |  <  |cJ-||cr(6i)|  =  |cy(j.6i|. 

Dehne  Ha  —  1  for  all  i  and  fitJ  =  0  if  i  <  j,  and  let  M  =  (/%)y  €  M(n,  M).  Then 
(61  62  •  ■  ■  bn)  —  (6*  63  •  •  •  6*)ML  For  0  /i6l®zK,  define  a:-1  =  x/(x,x).  This 
inverse  map  is  characterized  by  the  properties  that  (x,x~1)  =  1  and  =  Mx;  so 

(x^1)^1  =  x.  Since  the  basis  dual  to  {6*},  is  {(6*)_1}j,  and  M  gives  the  change  of 
basis  from  {6*}*  to  {6*}j,  it  follows  that  the  matrix  ( M *)_1  gives  the  change  of  basis 
from  {(6-)_1}i  to  {ci}i.  Thus, 

(ci  cn)  =  ((6t)-1  •••  (bl)-l)M~\ 

Letting  (i/y)y  =  M_1,  by  Lemma  3.3  we  have  Cj  =  with  vu  =  1  and 

\uij\  <  |  (§)*  j  if  i  >  j.  By  (i)  we  have  |(6*)_1|2  <  2l_1.  Thus, 


|2<E2 

i>j 


i_14  <  2J-1 


-V: 

9  ^ 

i>j 


u-i 


=  2j~l  + 


2? 

63 


Now  by  (ii)  and  (3.5)  we  have  | a^- 1 J  <  9n  1,  as  desired. 


□ 
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Remark  3.6.  It  is  easier  to  get  the  weaker  bound  atJ \  <  2^),  as  follows.  Write 
bj  =  bf  +  y  with  y  G  and  bf  orthogonal  to  With  Cj  as  in  the 

proof  of  Proposition  3.4,  we  have  c3  =  ( bf  )_1,  by  the  characterizations  of  {b^)~l  and 
Cj.  Since  1  =  det(L)  =  det ( X^/j ^4 )\bf\  we  have 

\cj\  =  |det(^Z6i)|  <  II  \bi\  ^  2(n"1)2/2 

i¥=j  i¥=j 

by  Hadamard’s  inequality  and  Proposition  3.4(h).  By  (3.5)  and  Proposition  3.4(h) 
we  have  \a,ij\  <  2^2). 

4.  Short  vectors  in  lattice  cosets 

We  show  how  to  find  the  unique  vector  of  length  1  in  a  suitable  lattice  coset,  when 
such  a  vector  exists. 

Proposition  4.1.  Suppose  L  is  an  integral  lattice,  3  <  m  G  Z,  and  C  G  L/mL. 
Then  the  coset  C  contains  at  most  one  element  iGl  with  (x,x)  =  1. 

Proof.  Suppose  x,y  G  C,  with  (x,x)  =  (y,y)  =  1.  Since  x,y  G  C,  there  exists  w  G  L 
such  that  x  —  y  =  mw.  Using  the  triangle  inequality,  we  have 

m(w,  ui)1/2  =  (x  —  y,  x  —  y )1^2  <  (x,  x )1^2  +  (y,  y)1^2  =  1  +  1  =  2. 

Since  m  >  3  and  (w,  w)  G  Z>0,  we  have  w  —  0,  and  thus  y  =  x.  □ 

Algorithm  4.2.  Given  a  rank  n  integral  lattice  L,  an  integer  m  such  that  m  > 
2n/2  +  1,  and  C  G  L/mL ,  the  algorithm  computes  all  y  G  C  with  (y,y)  =  1. 

(i)  Compute  an  LLL-reduced  basis  for  rriL  and  use  it  as  in  §10  of  [6]  to  com¬ 
pute  y  G  C  such  that  (y,y)  <  (2™  —  l)(a:,  x)  for  all  x  G  C,  i.e.,  to  find  an 
approximate  solution  to  the  nearest  vector  problem. 

(ii)  Compute  (y,y). 

(iii)  If  (y,y)  =  1,  output  y. 

(iv)  If  (y,y)  ^  1,  output  “there  is  no  y  G  C  with  (y,y)  =  1”. 

Proposition  4.3.  Algorithm  f.2  is  a  deterministic  polynomial-time  algorithm  that, 
given  a  integral  lattice  L,  an  integer  m  such  that  m  >  2n/2  +  1  where  n  =  rank(L); 
and  C  G  L/mL,  outputs  all  y  G  C  with  (y,y)  =  1.  The  number  of  such  y  is  0  or  1. 

Proof.  Suppose  x  G  C  with  (x,x)  =  1.  Since  x,y  G  C,  there  exists  w  G  L  such  that 
x  —  y  =  mw.  Using  the  triangle  inequality,  we  have 

m(w,  w)1^2  =  (x  —  y,  x  —  y )1^2  <  (x,  x}1^2  +  (y,  y )1//2  <  (1  +  2n^2){x,  x)1^2  <  m, 

so  (w,!/;)1/2  <  1.  Since  (w,w)  G  Z>0,  we  have  w  —  0,  and  thus  y  =  x.  If  (y,y)  ^  1, 
there  is  no  x  G  C  with  (x,x)  =  1.  □ 
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5.  G-lattices 


We  introduce  G-lattices  and  G- isomorphisms.  From  now  on,  suppose  that  G  is  a 
finite  abelian  group  equipped  with  a  fixed  element  u  of  order  2,  and  that  n  =  #G/2  G 
Z. 

Definition  5.1.  Let  S  be  a  set  of  coset  representatives  of  G/(u )  (i.e.,  #S  =  n  and 
G  =  S  U  uS ),  and  for  simplicity  take  S  so  that  1  €  S'. 

Definition  5.2.  A  G-lattice  is  a  lattice  L  together  with  a  group  homomorphism 
/  :  G  — *  Aut(L)  such  that  f(u)  =  —  1.  For  each  a  G  G  and  define  ax  G  L  by 

ax  =  f{a){x). 

The  abelian  group  G  is  specified  by  a  multiplication  table.  The  G-lattice  L  is 
specified  as  a  lattice  along  with,  for  each  a  G  G,  the  matrix  describing  the  action  of 
a  on  L. 

Definition  5.3.  If  L  and  M  are  G-lattices,  then  a  G-isomorphism  is  an  isomor¬ 
phism  (f  :  L  M  of  lattices  that  respects  the  G-actions,  i.e.,  < p(ax )  =  cr<p(x)  for 

all  x  G  L  and  a  G  G.  If  such  an  isomorphism  exists,  we  say  that  L  and  M  are 
G-isomorphic,  or  isomorphic  as  G-lattices. 

6.  The  modified  group  ring  Z(G) 

We  define  a  modified  group  ring  A(G)  whenever  A  is  a  commutative  ring.  We  will 
usually  take  A  =  Z,  but  will  also  take  A  =  Z/mZ  and  Q  and  C. 

If  H  is  a  group  and  A  is  a  commutative  ring,  the  group  ring  A[H ]  is  the  set  of 
formal  sums  aaa  with  aa  G  A,  with  addition  defined  by 

y  aaa  +  ^2  b^a  =  X](a<T  + 

gGlH  <j£H  gGlH 

and  multiplication  defined  by 

C^aaa)C^bTT)  =  a°br)P- 

crEH  tEH  p(zH  ar=p 

For  example,  if  H  is  a  cyclic  group  of  order  m  and  h  is  a  generator,  then  as  rings  we 
have  Z[A"]/ ( Xm  —  1)  =  Z [H]  via  the  map  ^  a*^*- 

Definition  6.1.  If  A  is  a  commutative  ring,  then  writing  1  for  the  identity  element 
of  the  group  G,  we  define  the  modified  group  ring 

A(G)  =  A[G\/(u  +  l). 

Every  G-lattice  L  is  a  Z(G)-module,  where  one  uses  the  G-action  on  L  to  define 
ax  whenever  x  G  L  and  a  G  Z(G).  This  is  why  we  consider  A(G)  rather  than  the 
standard  group  ring  A[G].  Considering  groups  equipped  with  an  element  of  order  2 
allows  us  to  include  the  cyclotomic  rings  Z[A"]/(A^2  +  1)  in  our  theory. 
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Definition  6.2.  Define  the  scaled  trace  function  t  :  A(G )  — »  A  by 

t ( ^  ^  d/jCT )  (1 1 

o-eG 

This  is  well  defined  since  the  restriction  of  f  to  (n  +  1)A[G]  is  0.  The  map  t  is  the 
A-linear  map  satisfying  t(l)  =  1,  t(u)  =  —1,  and  t(a)  —  0  if  a  E  G  and  a  ^  l,u. 

Definition  6.3.  For  a  =  J2a£Ga°a  e  dL(G),  define  a  =  . 

The  map  a  i-»  a  is  a  ring  automorphism  of  A(G).  Since  a  =  a,  it  is  an  involution. 
(An  involution  is  a  ring  automorphism  that  is  its  own  inverse.)  One  can  think  of  this 
map  as  mimicking  complex  conjugation  (cf.  Lemma  7.3 (i) ) . 

Remark  6.4.  If  L  is  a  G-lattice  and  x,y  E  L,  then  (ax,  ay)  =  (x,y)  for  all  a  E  G 
by  Definition  2.4.  It  follows  that  ( ax,y )  =  ( x,ay )  for  all  a  E  Z (G).  This  “hermitian” 
property  of  the  inner  product  is  the  main  reason  for  introducing  the  involution. 

Definition  6.5.  For  x,y  E  Z (G)  define  (x,y)z(G)  —  t(xV)- 

Recall  that  n  =  #G/2  and  S'  is  a  set  of  coset  representatives  of  G/(u).  The 
following  two  results  are  straightforward. 

Lemma  6.6.  Suppose  A  is  a  commutative  ring.  Then: 

(i)  A(G)  =  {Yja£Sava  '■  a°  E  A}  =  0crgS,Aa; 

(ii)  if  a  =  X]o-esa<j<T  e  A(G);  then 

(a)  t(a)  =  a.i, 

(b)  t(a)  =  t(a), 

(c)  t(aa)  =  J2.es 

(d)  a  =  'La&st(a~la)a’ 

(e)  if  t(ab)  =  0  for  all  b  E  A(G),  then  a  =  0. 

Proposition  6.7.  (i)  The  additive  group  of  the  ring  Z (G)  is  a  G-lattice  of  rank 

n,  with  lattice  structure  defined  by  (■ ,  ■  )z{G)  ond  G-action  defined  by  ax  =  ax 
where  the  right  hand  side  is  ring  multiplication  in  Z (G). 

(ii)  As  lattices,  we  have  Z (G)  =  Z”. 

Definition  6.8.  We  call  7L(G)  the  standard  G-lattice. 

The  set  S  of  coset  representatives  for  Gj  (u)  is  an  orthonormal  basis  for  the  standard 
G-lattice. 

Example  6.9.  Suppose  G  =  H  x  (u)  with  H  =  TLfnL.  Then  Z(G)  =  Z [H]  = 
Z[A"]/(A^n  —  1)  as  rings  and  as  lattices.  When  n  is  odd  (so  G  is  cyclic),  then,  sending 
X  to  -X,  we  have  Z(G)  =  Z[X]/(Xn  -  1)  =  Z[X]/(Xn  +  1). 

Example  6.10.  If  G  is  cyclic,  then  Z(G)  =  Z[A"]/(A^n  +  1),  identifying  A"  with  a 
generator  of  G.  If  G  is  cyclic-  of  order  2r,  then  Z(G)  =  Z[X]/(X2r  1  +  1)  =  Z[^], 
where  ^  is  a  primitive  2r-th  root  of  unity. 
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Remark  6.11.  The  ring  Z (G)  is  an  integral  domain  if  and  only  if  G  is  cyclic  and  n 
is  a  power  of  2  (including  2°  =  1).  (If  g  G  G  is  an  element  whose  order  is  odd  or  2, 
and  g  qL  {1,  u},  then  g  —  1  is  a  zero  divisor.) 

7.  The  modified  group  ring  over  fields 

The  main  result  of  this  section  is  Lemma  7.3,  which  we  will  use  repeatedly  in  the 
rest  of  the  paper.  Recall  that  G  is  a  finite  abelian  group  of  order  2 n  equipped  with 
an  element  u  of  order  2.  If  R  is  a  commutative  ring,  then  a  commutative  A-algebra 
is  a  commutative  ring  A  equipped  with  a  ring  homomorphism  from  R  to  A. 

If  K  is  a  subfield  of  C  and  E  is  a  commutative  A'-algebra  with  dim^(A)  <  oo, 
let  denote  the  set  of  K -algebra  homomorphisms  from  E  to  C.  Then  is  a 
C-algebra  with  coordinate-wise  operations.  The  next  result  is  not  only  useful  for 
studying  modified  group  rings,  but  also  comes  in  handy  in  Proposition  15.2  below. 

Lemma  7.1.  Suppose  K  is  a  subfield  of  C  and  E  is  a  commutative  K-algebra  with 
dinix(A)  <  oo.  Assume  #$£  =  dim^(A).  Then: 

(i)  identifying  &e  with  {C-algebra  homomorphisms  Ec  =  C  E  C},  the  map 

Ec  — »  x  (ip(x))ve<f>E  is  an  isomorphism  of  C-algebras; 

(ii)  f|ve*B  kerO)  =  0  in  E; 

(iii)  there  is  a  finite  collection  {Kj}j=l  of  finite  extension  fields  of  K  such  that 
E  =  Ki  x  •  •  •  x  Kd  as  K -algebras. 

Proof.  By  the  Corollaire  to  Proposition  1  in  V.6.3  of  [1],  the  set  $£•  is  a  C-basis  for 
Hom^(A,  C)  =  Homc(l?c,C),  so  the  C-algebra  homomorphism  in  (i)  is  an  isomor¬ 
phism.  Part  (ii)  follows  immediately  from  (i). 

By  Proposition  2  in  V.6.3  of  [1],  the  A'-algebra  E  is  what  Bourbaki  calls  an  etale 
A'-algebra,  and  (iii)  then  follows  from  Theorem  4  in  V.6.7  of  [1].  □ 

Definition  7.2.  Let  T  denote  the  set  of  ring  homomorphisms  from  Q (G)  to  C.  We 
identify  T  with  the  set  of  A"- algebra  homomorphisms  from  K(G)  to  C,  where  K  is  any 
subfield  of  C.  The  set  T  can  also  be  identified  with  the  set  of  group  homomorphisms 
ip  :  G  — »  C*  such  that  ip(u)  =  —  1. 

We  have  fp^  =  n,  since  #Hom(G,  C*)  =  ffG  =  2 n  and  the  restriction  map 
Hom(G,  C*)  — y  Hom((u),C*)  is  surjective.  This  allows  us  to  apply  Lemma  7.1  with 
E  =  K(G).  If  a  G  C (G),  then  a  acts  on  the  C- vector  space  C(G)  by  multiplication, 
and  for  ^  G  T  the  if  (a)  are  the  eigenvalues  for  this  linear  transformation.  Lemma 
7.3 (ii)  justifies  thinking  of  the  map  t  of  Definition  6.2  as  a  scaled  trace  function. 

Lemma  7.3.  (i)  If  if  e  4/,  then  ip  (a)  =  ip  (a)  for  all  a  G  R(G). 

(ii)  If  a  G  C (G),  then  t(a)  =  y  Eye*  ^(a)- 

(iii)  If  K  is  a  subfield  of  C,  then  fj,^Jg^ker('0)  =  0  in  K(G). 

(iv)  The  map  C (G)  — >  C^;  x  (->■  {ip{x))^&^  is  an  isomorphism  of  C-algebras. 


Approved  for  Public  Release;  Distribution  Unlimited. 

59 


(v)  There  are  number  fields  K±, . . . ,  Kd  such  that  Q (G)  =  K i  x  •  •  •  x  /Ci  as  Q- 
algebras. 

(vi)  Suppose  K  is  a  subfield  of  C  and  a  G  K(G).  Then  a  G  K(G)*  if  and  only  if 

if  (a)  0  for  all  if  E  ^ . 

(vii)  If  z  G  M(G)  is  such  that  if(z)  G  M  for  all  if  G  and  g  (xxb)  >  0  for  all 
x  G  M(G),  then  if(z)  >  0  for  all  if  E  ^ . 

Proof.  For  (i),  since  G  is  finite,  if(o)  is  a  root  of  unity  for  all  o  G  G.  Thus,  if  (o')  = 
if(o)~l  =  if(o~1)  =  if(o).  The  M-linearity  of  if  and  of  Aut(C/M)  now  imply  (i). 

We  have  =  1  =  t(  1),  and  ^  e  fi’i'u)  =  — 1  =  t(u),  and  for  each 

o  (u)  we  have 

Y  =  -  Y  ^(ct)  =  -  Y  mod  («))  =  o  =  nt(°)- 

e  £Hom(G,C* )  eHom(G/(u),C*) 

■0(n)  =  l 

Extending  C- linearly  gives  (ii). 

If  K  is  a  subfield  of  C,  then  T  =  n  =  dim kK(G).  Thus  we  can  apply  Lemma  7.1, 
giving  (iii),  (iv),  and  (v). 

By  (iv)  we  have  C (G)*  — >  (C*)w.  This  gives  (vi)  when  K  =  C.  If  K  is  a  subfield 
of  C  and  x  G  K(G)  fl  C (G)*  then  multiplication  by  x  is  an  injective  map  from  K(G ) 
to  itself,  so  is  also  surjective,  so  x  G  K(G)*.  Thus  K(G)*  =  K(G)  fl  C(G)*,  and  (vi) 
follows. 

For  (vii),  applying  Lemma  7.1  (iii)  with  K  =  M  gives  an  M- algebra  isomorphism 
M(G)  Mr  x  Cs.  The  set  T  =  {ifj}jfls  consists  of  the  r  projection  maps  ifj  : 
M(G)  — >  M  C  C  for  1  <  j  <  r,  along  with  the  s  projection  maps  ifj  :  M(G)  — >  C 
and  their  complex  conjugates  ifs+j  =  ifj  for  r  +  1  <  j  <  r  +  s.  By  (i),  if  x  = 
(x\, . . .  ,xr,yi, . . . ,  ys )  G  Mr  x  Cs,  then  x  =  (xi, . . .  ,xr,y!, . . .  ,yf).  Taking  x  to  have 
1  in  the  j-th  position  and  0  everywhere  else,  we  have  0  <  Y2  g  if(xxz)  =  ifj(z)  if 
1  <  j  <  r  and  2 ifj(z)  otherwise,  giving  (vii).  □ 

8.  Ideal  lattices 

As  before,  G  is  a  finite  abelian  group  of  order  2 n  equipped  with  an  element  u  of 
order  2.  Theorem  8.2  below  gives  a  way  to  view  certain  ideals  /  in  Z(G)  as  G-lattices, 
and  Theorem  8.5  characterizes  the  ones  that  are  G'-isoniorphic  to  Z(G). 

Definition  8.1.  A  fractional  7L(G)-ideal  is  a  finitely  generated  Z(G,)-modulc  in  Q (G) 
that  spans  Q (G)  over  Q.  An  invertible  fractional  Z(G)-ideal  is  a  fractional  Z(G)- 
ideal  /  such  that  there  is  a  fractional  Z(G)-ideal  J  with  IJ  =  Z (G),  where  IJ  is  the 
fractional  Z(G)-ideal  generated  by  the  products  of  elements  from  /  and  J. 

Theorem  8.2.  Suppose  I  C  Q (G)  is  a  fractional  7L(G) -ideal  and  w  G  Q (G).  Suppose 
that  II  C  Z (G)  ■  w  and  if(w )  G  M>o  for  all  if  G  T .  Then: 

(i)  w  =  vj; 

(ii)  w  G  Q(G)*; 
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(iii)  I  is  a  G -lattice,  with  G -action  defined  by  multiplication  in  Z (G),  and  with 
lattice  structure  defined  by  {x,y)pw  =  t(xy/w),  with  t  as  in  Definition  6.2. 


Proof.  By  Lemma  7.3(i)  we  have  if(w)  =  if(w)  =  if{w)  for  all  if  G  T.  Now  (i)  follows 
from  Lemma  7.3 (iii).  Lemma  7.3 (vi)  implies  (ii).  Note  that  —  G  Z(G),  since  w 
generates  the  ideal  II.  Part  (iii)  now  follows  from  (i)  and  (ii)  of  Lemma  7.3.  □ 

Definition  8.3.  Let  denote  the  G-lattice  I  in  Theorem  8.2 (iii) . 

Example  8.4.  We  have  L(z{G)a)  —  %{G). 

Theorem  8.5.  Suppose  that  1 1  and  I-2  are  fractional  Z(G) -ideals,  thatw±,w2  G  Q (G), 
that  fill  C  Z (G) -w i  and  fifi  C  Z (G)  ■ w2 ,  and  that  if(wi),if(w2)  G  M>0  for  all  if  G  T . 
Let  Lj  =  for  j  =  1,2.  Then  sending  v  to  multiplication  by  v  gives  a  bijection 

from 

{v  G  Q (G)  :  fi  =  vl2,w i  =  vvw2}  to  {G -isomorphisms  L2  — > 
and  gives  a  bijection  from 

{v  G  Q (G)  :  fi  =  v7i{G),Wi  =  nn}  to  {G -isomorphisms  Z (G)  L\\. 

In  particular,  Li  is  G-isomorphic  to  Z (G)  if  and  only  if  there  exists  v  G  Q (G)  such 
that  fi  =  (v)  and  w\  =  vv. 

Proof.  Any  Z(G)-modulc  isomorphism  <p  :  L2  — >  L\  extends  to  a  Q(G)-modnle  iso¬ 
morphism  from  L2  ®  Q  =  Q (G)  to  L\  ®  Q  =  Q (G),  and  any  such  map  is  multipli¬ 
cation  by  some  v  G  Q (G)*.  Conversely,  for  v  G  Q (G),  multiplication  by  v  defines  a 
Z(G)-modulc  isomorphism  from  L2  to  Li  if  and  only  if  fi  =  vfi.  When  fi  =  vl2, 
multiplication  by  v  is  a  G- isomorphism  from  L2  to  Li  if  and  only  if  W\  =  vvw2]  this 
follows  from  Lemma  6.6(ii)(e),  since  for  all  a,  b  G  I2  we  have  ( a,b)j2tW2  =  t  and 

( av,bv)i1)W1  =  t  This  gives  the  first  desired  bijection.  Taking  fi  =  Z (G)  and 

w2  =  1  gives  the  second  bijection.  □ 

We  next  show  how  to  recover  the  Gentry-Szydlo  algorithm  from  Theorem  1.1. 
The  goal  of  the  Gentry-Szydlo  algorithm  is  to  find  a  generator  v  of  a  principal  ideal 
/  of  finite  index  in  the  ring  R  =  Z[A"]/(Xn  —  1),  given  vv  and  a  Z-basis  for  I. 
Here,  n  is  an  odd  prime,  and  for  v  =  v(X)  =  a^1  e  A,  its  “reversal”  is 

v  =  v(Af-1)  =  a0  +  Xu=i  an-iXl  G  R.  We  take  G  to  be  a  cyclic  group  of  order  2 n. 
Then  R  =  Z (G)  as  in  Example  6.9,  and  we  identify  R  with  Z(G).  Let  w  =  vv  G  Z (G) 
and  let  L  =  L as  in  Definition  8.3.  Then  L  is  the  “implicit  orthogonal  lattice” 
in  §7.2  of  [3].  Once  one  knows  w  and  a  Z-basis  for  /,  then  one  knows  L.  Theorem 
1.1  produces  a  G'-isomorphism  p  :  Z (G)  — >  L  in  polynomial  time,  and  thus  (as  in 
Theorem  8.5)  gives  a  generator  v  =  99(1)  in  polynomial  time. 
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9.  Invertible  G-lattices 


Recall  that  G  is  a  finite  abelian  group  of  order  2 n,  with  a  fixed  element  u  of  order 
2,  and  S'  is  a  set  of  coset  representatives  for  G/(u).  In  Definition  9.5  we  introduce 
the  concept  of  an  invertible  G-lattice.  The  inverse  of  such  a  lattice  L  is  the  G-lattice 
L  given  in  Definition  9.1. 

Definition  9.1.  If  L  is  a  G-lattice,  then  the  G-lattice  L  is  a  lattice  equipped  with  a 
lattice  isomorphism  L  L,  x  t— )■  x  and  a  group  homomorphism  G  — >  Aut(L)  defined 
by  ax  =  a~1x  for  all  a  E  G  and  x  E  L,  i.e.,  ax  =  ax. 

Existence  follows  by  taking  L  to  be  L  with  the  appropriate  G-action.  The  G-lattice 
L  is  unique  up  to  G-isomorphism,  and  we  have  L  =  L. 

Definition  9.2.  If  L  is  a  G-lattice,  define  the  lifted  inner  product 

•  :  L  x  L  — >  Z(G)  by  x  ■  y  —  (x ,  ay)a  E  Z(G). 

crES 

This  lifted  inner  product  is  independent  of  the  choice  of  the  set  S,  and  is  Z(G)- 
bilinear,  i.e.,  (ax)  -y  =  x-  (ay)  =  a(x  ■  y)  for  all  a  G  Z(G)  and  all  x,y  G  L.  We 
have 

(9.3)  (x,y)  =  t(x-y) 

and  x  ■  y  =  y  ■  x. 

Example  9.4.  If  /,  w,  and  are  as  in  Theorem  8.2  and  Definition  8.3,  then 

L(i)W)  =  and  applying  Lemma  6.6(ii)(d)  with  a  —  ^  shows  that  x  ■  y  — 

In  particular,  if  L  —  Z(G),  then  L  =  Z(G)  with  —  having  the  same  meaning  as  in 
Definition  6.3  for  A  =  Z,  and  with  ■  being  multiplication  in  Z(G).  Note  that  when 
w^l,  ideals  /  in  Z(G)  do  not  inherit  their  lifted  inner  product  from  that  of  Z(G). 

Definition  9.5.  A  G-lattice  L  is  invertible  if  the  following  three  conditions  all  hold: 

(i)  rank(L)  —  n  —  #G/2; 

(ii)  L  is  unimodular  (see  Definition  2.3); 

(iii)  for  each  m  G  Z>0  there  exists  em  G  L  such  that  {crem+mL  :<jGG}  generates 
the  abelian  group  L/mL. 

It  is  clear  from  the  definition  that  invertibility  is  preserved  under  G-lattice  isomor¬ 
phisms.  Definition  9.5  implies  that  L/mL  is  a  free  (Z/mZ)(G)-module  of  rank  one 
for  all  m  >  0.  Given  an  ideal,  it  is  a  hard  problem  to  decide  if  it  is  principal.  But 
checking  (iii)  of  Definition  9.5  is  easy  algorithmically;  see  Algorithm  10.2  below. 

Lemma  9.6.  If  L  is  a  G-lattice  and  L  is  G-isomorphic  to  the  standard  G-lattice, 
then  L  is  invertible. 

Proof.  Parts  (i)  and  (ii)  of  Definition  9.5  are  easy.  For  (iii),  observe  that  the  group 
Z(G)  is  generated  by  {crl  :  a  G  G},  so  the  group  L  is  generated  by  {ae  :  a  G  G} 
where  e  is  the  image  of  1  under  the  isomorphism.  Now  let  em  =  e  for  all  m.  □ 
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10.  Determining  invertibility 

Fix  as  before  a  finite  abelian  group  G  of  order  2 n  equipped  with  an  element  u  of 
order  2. 

Algorithm  10.2  below  determines  whether  a  G-lattice  is  invertible.  In  Proposition 
10.3  we  show  that  Algorithm  10.2  produces  correct  output  and  runs  in  polynomial 
time. 

In  [8]  we  obtain  a  deterministic  polynomial-time  algorithm  on  input  a  finite  com¬ 
mutative  ring  R  and  a  finite  A-module  M,  decides  whether  there  exists  y  G  M  such 
that  M  =  Ry,  and  if  there  is,  finds  such  a  y.  Applying  this  with  R  =  Z (G)  / (m)  and 
M  =  L/mL  gives  the  algorithm  in  the  following  result. 

Proposition  10.1.  There  is  a  deterministic  polynomial-time  algorithm  that,  given 
G,  u,  a  G-lattice  L,  and  m  G  Z>0,  decides  whether  there  exists  em  G  L  such  that 
{aem  +  rriL  :  a  G  G}  generates  L/mL  as  an  abelian  group,  and  if  there  is,  finds  one. 

Algorithm  10.2.  Given  G,  u,  and  a  G-lattice  L ,  the  algorithm  decides  whether  L  is 
invertible. 

(i)  If  rank(L)  n,  output  “no”  (and  stop). 

(ii)  Compute  the  determinant  of  the  Gram  matrix  for  L.  If  it  is  not  1,  output 
“no”  (and  stop). 

(iii)  Use  Proposition  10.1  to  determine  if  e2  (in  the  notation  of  Definition  9.5(iii)) 
exists.  If  no  62  exists,  output  “no”  and  stop.  Otherwise,  use  Proposition  10.1 
to  compute  e2  G  L. 

(iv)  Compute  the  order  q  of  the  group  L/(Z(G)  •  e2). 

(v)  Use  Proposition  10.1  to  determine  if  eq  exists.  If  no  eq  exists,  output  “no”. 
Otherwise,  output  “yes”. 

Proposition  10.3.  Algorithm  10.2  is  a  deterministic  polynomial-time  algorithm  that, 
given  G,  u,  and  a  G-lattice  L,  decides  whether  L  is  invertible. 

Proof.  If  Step  (ii)  outputs  “no”  then  L  is  not  unimodular  so  it  is  not  invertible.  We 
need  to  check  Definition  9.5(iii)  for  all  m’s  in  polynomial  time.  We  show  that  it 
suffices  to  check  two  particular  values  of  m,  namely  m  —  2  and  q.  By  Lemma  10.4, 
the  group  L/(Z(G)  •  efi)  is  finite  of  odd  order  q.  If  no  eq  exists,  L  is  not  invertible. 
If  eq  exists,  then  for  all  m  G  Z>0  there  exists  em  G  L  that  generates  L/mL  as  a 
Z(G)/(m)-module,  as  follows.  We  can  reduce  to  m  being  a  prime  power  p *,  since 
if  gcd(m,m/)  =  1  then  L/mm'L  is  free  of  rank  1  over  Z (G)/{mm')  if  and  only  if 
L/mL  is  free  of  rank  1  over  Z (G)/(m)  and  L/m'L  is  free  of  rank  1  over  Z (G)/(m7). 
Lemma  10.4  now  allows  us  to  reduce  to  the  case  m  =  p.  If  p  does  not  divide  q,  we 
can  take  ep  =  e2.  If  p  divides  q,  we  can  take  ep  =  eq.  □ 

Lemma  10.4.  Suppose  that  L  is  a  G-lattice,  m  G  Z>1;  and  e  G  L.  Then  {ae  +mL  : 
a  G  G}  generates  L/mL  as  an  abelian  group  if  and  only  «/L/(Z(G)  •  e)  is  finite  of 
order  coprime  to  m. 
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Proof.  The  set  {ae  +  mL  :  a  G  G}  generates  L/mL  as  an  abelian  group  if  and  only  if 
L  =  Z (G)e  +  mL,  and  if  and  only  if  multiplication  by  m  is  surjective  as  a  map  from 
L/(Z(G)  ■  e )  to  itself.  Since  L/(Z(G)  •  e)  is  a  finitely  generated  abelian  group,  this 
holds  if  and  only  if  L/(Z(G)  ■  e)  is  finite  of  order  coprime  to  m.  □ 

11.  Equivalent  conditions  for  invertibility 

In  this  section  we  prove  Theorem  11.1,  which  gives  equivalent  conditions  for  invert- 
ibility. 

Theorem  11.1.  If  L  is  a  G-lattice,  then  the  following  statements  are  equivalent: 

(a)  L  is  invertible; 

(b)  the  map  <p  :  L  ®z{G)  L  — *  Z(G)  defined  by  p>(x  ®y)  =  x  -  y  is  an  isomorphism 
of  Z(G) -modules,  where  ■  is  defined  in  Definition  9.2; 

(c)  there  is  a  Z(G) -module  M  such  that  L  ®z{G)  M  and  Z (G)  are  isomorphic  as 
Z(G)  -modules,  and  as  a  lattice  L  is  unim.odular; 

(d)  L  is  G -isomorphic  to  for  some  fractional  Z(G)  -ideal  I  and  some  w  G 

Q (G)*  such  that  II  =  Z (G)  ■  w  a?id  fl(w)  G  M>0  for  all  G  T,  with  £(/,«,)  os 
in  Definition  8.3. 

We  will  prove  Theorem  11.1  in  a  series  of  lemmas.  The  equivalence  of  (a)  and  (c) 
says  that  being  invertible  as  a  G-lattice  is  equivalent  to  being  both  unimodular  as  a 
lattice  and  invertible  as  a  Z(G)-module. 

Definition  11.2.  Suppose  R  is  a  commutative  ring.  An  A-module  is  projective 
if  it  is  a  direct  summand  of  a  free  A-module.  An  A-module  M  is  flat  if  whenever 
N\  <—}  N2  is  an  injection  of  A-modulcs,  then  the  induced  map  M  Aj  — >  M  N2 
is  injective. 

Lemma  11.3.  Suppose  that  L  is  a  7L-free  TLlfG) -module  of  rank  #G/2,  and  for  each 
m  G  Z>0  there  exists  em  G  L  such  that  {aem  +  mL  :  a  G  G}  generates  the  abelian 
group  L/mL.  Then: 

(i)  there  is  a  Z(G) -module  M  such  that  L  ©  M  =  Z(G)  ©  Z (G)  ,  and 

(ii)  L  is  projective  and  flat  as  a  Z(G)  -module. 

Proof.  Let  q  —  [L  :  rL(G)e2\.  By  Lemma  10.4,  we  have  that  q  is  finite  and  odd.  Let 
r  —  [L  :  Z (G)eq\.  By  Lemma  10.4,  we  have  that  r  is  finite  and  coprime  to  q.  Take 
a,  b  G  Z  such  that  ar  +  bq  =  1.  Let  N  =  Z(G)e2  ©  Z (G)eq  and  M  =  Z(G)e2  D  Z (G)eq. 
Since  L  has  rank  #G/2  we  have  N  =  Z(G)  ©  Z(G).  Define  p  :  N  — >  L  by  (x,  y)  (->• 
x  +  y  and  s  :  L  — >  by  x  eA  ( bqx,arx ).  Then  p  o  s  is  the  identity  on  L.  Thus, 
L  ©  ker(p)  =  A^  =  Z(G)  ©  Z(G).  Since  L  is  a  direct  summand  of  a  free  module,  L  is 
projective.  All  projective  modules  are  flat  (by  Example  (1)  in  1.2.4  of  [2]).  □ 

Recall  that  the  notions  of  fractional  Z(G)-ideal  and  invertible  fractional  Z(G)-ideal 
were  defined  in  Definition  8.1. 
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Lemma  11.4.  If  I  is  an  invertible  fractional  Z(G) -ideal,  then: 

(i)  if  m  E  Z>0,  then  I /ml  is  isomorphic  to  {/L/mL)(G)  as  a  Z(G) -module; 

(ii)  I  is  flat; 

(iii)  if  I'  is  a  fractional  Z(G)-ideal,  then  the  natural  surjective  map  I®z(g)I'  1 1' 
is  an  isomorphism. 

Proof.  Since  /  is  an  invertible  fractional  Z(G)-ideal,  there  is  a  fractional  Z(G)-ideal 
J  such  that  IJ  =  Z(G).  Let  T  denote  the  partially  ordered  set  of  fractional  Z (G)- 
ideals.  The  maps  from  T  to  itself  defined  by  f\  :  N  i— >■  NI  and  f<i  :  N  i— >■  N  J  are 
inverse  bijections  that  preserve  inclusions.  Since  /i(Z(G))  =  /,  it  follows  that  the 
maximal  Z(G)-submodules  of  /  are  exactly  the  ml  such  that  m  is  a  maximal  ideal 
of  Z (G).  By  the  Chinese  Remainder  Theorem,  the  map  /  — >■  surjective, 

where  the  product  runs  over  the  (finitely  many)  maximal  ideals  m  that  contain  m.  It 
follows  that  there  exists  x  E  I  that  is  not  contained  in  any  m/.  Since  Z (G)x  +  ml 
is  a  fractional  ideal  that  is  not  contained  in  any  proper  submodule  of  /,  it  equals  I . 
Thus,  I /ml  is  isomorphic  to  (Z/mZ)(G)  as  a  Z(G)-modulc.  This  proves  (i). 

For  (ii),  apply  (i)  and  Lemma  11.3(h). 

Since  /  is  flat,  the  natural  map 

I  ®z(G)  I'  — 1 1  ®z(G)  Q  (G)  =  I  ®%(G)  Z  (G)  <g)z  Q  —  I  ®z  Q  =  Q  (G) 

is  injective,  giving  (iii).  □ 

Let  Lq  =  L  Q.  Then  the  inner  product  (  ,  )  on  L  extends  Q-bilincarly  to 
a  Q-bilinear,  symmetric,  positive  definite  inner  product  on  Lq,  and  the  lifted  inner 
product  •  extends  Q-bilinearly  to  a  Q(G)-bilinear  map  Lq  x  Lq  — >  Q (G). 

Lemma  11.5.  Suppose  L  is  an  invertible  G-lattice.  Then  Lq  =  Q{G)ry  for  some 
7  E  Lq.  For  such  a  7,  letting  z  =  7  -7  G  Q (G)  we  have: 

(i)  z  G  Q(G)*, 

(ii)  for  all  E  T  we  have  E  M>0, 

(iii)  L-L  =  Z(G), 

(iv)  if  I  =  {x  E  Q (G)  :  x 7  G  L},  then  II  =  Z (G)z~1  and  L^tZ- 7  =  L  as 
G-lattices. 

Proof.  By  Definition  9.5(iii)  and  Lemma  10.4  we  have  that  for  all  m  E  Z>i  there 
exists  em  E  L  such  that  the  index  ifm)  =  [L  :  Z (G)em\  is  hnite  and  coprime  to  m.  It 
follows  that  Lq  =  Q (G)  as  Q(G)-modules.  Thus,  Lq  =  Q(G) 7  for  some  7  G  Lq.  Let 
2  =  7 ' 7  G  Q (G). 

For  all  x,y  E  Q (G)  we  have  (x'f,  r/7)  =  t(x 7  •  yfl)  =  t(xyz).  Since  the  inner 
product  is  symmetric,  using  Lemma  6.6(h) (e)  we  have  z  =  z.  Thus  for  all  if  E  T 
we  have  if(z)  =  if(z)  =  if(z)  by  Lemma  7.3 (i) ,  so  if(z)  E  M.  For  all  x  E  Q (G) 
we  have  0  <  (£7,2:7)  =  t{xxz)  =  7  ip(xxz)  by  Lemma  7.3(h).  By  Lemma 
7.3(vii)  it  follows  that  if(z)  >  0  for  all  if  E  T.  If  x  E  Q (G)  and  zx  =  0,  then 
(£7,2:7)  =  t{xxz)  =  0,  so  x  =  0.  Therefore  multiplication  by  z  is  an  injective,  and 
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thus  surjective,  map  from  Q (G)  to  itself.  Thus  z  E  Q (G)*  and  i/)(z)  E  M>o  for  all 
"0  G  T,  by  Lemma  7.3(vi).  This  gives  (i)  and  (ii). 

Dehne  L^1  =  {y  E  Lq  :  L  ■  y  C  Z(G)}  and  let  m  G  Z>1.  We  have  L  Z>  Z (G)em  Z> 
i(m)L,  so  em  G  Q(G)*y  and  therefore  em-ejL  G  Q(G)*.  Now  i(m)(em-e^)_1ej^  G  L_1, 
because  for  all  x  E  L  one  has  i(m)x  ■  (em  ■  ejk)_1ejk  C  Z {G)em  ■  (em  ■  ejL)-1ejL  =  Z(G). 
Therefore  i(m)  =  em  •  i(m)(em  ■  ejn)_1ejL  G  L  ■  L”1  C  Z (G).  This  is  true  for  all 
m  E  Z>i,  so  1  G  i  •  L”1  and  L  ■  L_1  =  Z(G). 

Now  for  y  E  Lq  one  has  y  E  L  if  and  only  if  y  E  L,  if  and  only  if  for  all  x  E  L  one 
has  (x,  y)  E  Z,  if  and  only  if  for  all  x  E  L  and  a  E  G  one  has  (x,  ay)  =  (a^x,  y)  E  Z, 
if  and  only  if  for  all  x  E  L  one  has  x  ■  y  E  Z (G),  if  and  only  if  y  G  L _1.  So  L  —  L -1. 
Thus  L  ■  L  =  1(G) ,  giving  (iii). 

If  /  C  Q (G)  is  such  that  L  =  Jy,  then  /  L,  x  H »  ary  as  Z(G)-modules.  Then 
Z(G)  —  L  L  —  //y-y  =  //^,  so  II  =  7j(G)z~1.  Now  (ary,  yy)  =  i(xy-yy)  =  t(xyz)  = 
(x,y)qz- 1  for  all  x,y  E  I.  Thus,  L(/)Z- 1)  =  L  as  G-lattices.  This  gives  (iv).  □ 

We  are  now  ready  to  prove  Theorem  11.1. 

For  (a)  (d),  apply  Lemma  11.5  with  ta  =  z_1. 

For  (d)  =>■  (b),  by  (d)  we  have  L  ®z(G)  L  —  I  <8iz(G)  I ■  Using  Lemma  11.4(iii)  we 
have  that  the  composition  I  ®  I  —)■  II  =  rL(G)w  Z (G)  is  an  isomorphism,  where 
the  first  map  sends  x  ®  y  to  xy  and  the  last  map  sends  a  to  a/w.  Since  x  ■  y  —  xy/w: 
this  gives  (b). 

For  (b)  =>■  (c),  suppose  (b)  holds,  i.e.,  the  map  Lp  :  L®z{G)  L  Z (G),  x®y  t-G  x  -y 
is  an  isomorphism  of  Z(G')-modules.  Then  L  is  unimodular,  as  follows.  Consider  the 
maps: 

L  — y  Homz(G)(L,  Z(G))  — >  Hom(L,  Z)  — y  Hom(L,  Z) 

where  the  left-hand  map  is  the  Z(G)-module  isomorphism  induced  by  if,  defined 
by  a:  (->•  (y  i->  x  ■  y),  the  middle  map  is  /  G  i  o  /,  and  the  right-hand  map  is 
g  * — t  (y  i — y  g(y)).  The  latter  two  maps  are  group  isomorphisms;  for  the  middle  map 
note  that  its  inverse  is  /  (->•  (x  (->•  f(a~1x)a).  The  composition,  which  takes  x 

to  (y  (->•  t{x  ■  y)  =  (x,  y)),  is  therefore  a  bijection,  so  L  is  unimodular.  Then  (c)  holds 
by  taking  M  =  L. 

For  (c)  (a),  by  Lemma  7.3(v)  we  have  Q (G)  =  TljeJ^j  with  <  oo  and 

fields  Kj.  Each  Q(G') -module  V  is  V  =  Vj  with  each  V3  a  Kj-ve ctor  space. 

With  V  =  L  Q  and  W  =  M  Q  we  have 

UK  ®Kj  Wj)  =  V  ®q{G)  W  =  Q (G)  =  n  Kj. 

j£J  j 

This  holds  if  and  only  if  for  all  j  we  have  ( dim Vj )  ( dim k:i  W3 )  =  1,  which  holds 
if  and  only  if  for  all  j  we  have  dim KjVj  =  dim Kt W3  =  1.  This  holds  if  and  only 
if  V  =  W  =  Q (G)  as  Q(G)-modules.  Thus,  L  and  M  may  be  viewed  as  fractional 
Z(G') -ideals  in  Q (G),  and  LM  is  principal,  so  L  and  M  are  invertible  fractional  Z (G)- 
ideals.  By  Lemma  11.4(i),  if  /  is  an  invertible  fractional  Z(G)-ideal,  then  I /ml  is 
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cyclic  as  a  Z(G)-module,  for  every  positive  integer  m.  Thus  L/mL  is  cyclic  as  a 
Z(G') -module,  so  (a)  holds. 

This  concludes  the  proof  of  Theorem  11.1. 

12.  Short  vectors  in  invertible  lattices 

Recall  that  G  is  a  group  of  order  2 n  equipped  with  an  element  u  of  order  2.  The 
main  result  of  this  section  is  Theorem  12.4,  which  shows  in  particular  that  a  G-lattice 
is  G'-isomorpliic  to  the  standard  G-lattice  if  and  only  if  it  is  invertible  and  has  a  short 
vector  (i.e. ,  a  vector  of  length  1). 

Definition  12.1.  We  will  say  that  a  vector  e  in  an  integral  lattice  L  is  short  if 

(e,e)  =  1. 

Example  12.2.  The  short  vectors  in  the  standard  lattice  of  rank  n  are  the  2 n  signed 
standard  basis  vectors  {(0, . . . ,  0,  ±1,  0, . . . ,  0)}.  Thus,  the  set  of  short  vectors  in 
Z  (G)  is  G. 

Proposition  12.3.  Suppose  L  is  an  invertible  G-lattice.  Then: 

(i)  if  e  is  short,  then  {a  E  G  :  ae  =  e}  =  { 1} / 

(ii)  if  e  is  short,  then  (e,ae)  is  1  if  a  =  1,  is  —1  if  a  =  u,  and  is  0  for  all  other 

<J  £  G,' 

(iii)  e  E  L  is  short  if  and  only  ife-e  =  1,  with  inner  product  ■  defined  in  Definition 

9.2. 

Proof.  Suppose  e  G  L  is  short.  Let  H  =  {a  E  G  :  ae  =  e}.  For  all  a  E  G,  by 
the  Cauchy-Schwarz  inequality  we  have  |(e,  cre)|  <  ((e,  e)(ae,  ae))1/2  =  (e,  e)  =  1, 
and  |(e,  ae)\  =  1  if  and  only  if  e  and  ae  lie  on  the  same  line  through  0.  Thus 
(e,  ae)  E  {1,0, —1}.  Then  (e,  ae)  =  1  if  and  only  if  a  E  H.  Also,  ( e,ae )  =  —1  if 
and  only  if  ae  =  — e  if  and  only  if  a  E  Hu.  Otherwise,  (e,  ae)  =  0.  Thus  for  (i,ii),  it 
suffices  to  prove  H  =  {1}.  Let  m  =  f/H. 

Let  T  be  a  set  of  coset  representatives  for  G  mod  H(u)  and  let  S  =  T  ■  H,  a 
set  of  coset  representatives  for  G  mod  ( u ).  If  a  =  J2cr£Sa<?a  e  (Z/mZ )(G)  is  fixed 
by  H,  then  aTa  =  aa  for  all  a  E  S  and  t  E  H,  so  a  E  (SreR T)(Z/mZ)(G).  By 
Definition  9.5,  Theorem  11.1,  and  Lemma  11.4,  there  is  a  Z[Lf]-module  isomorphism 
L/mL  =  (Z/mZ)(G).  Since  e+mL  is  fixed  by  H,  we  have  e+mL  E  T)(L/mL ), 

so  em  E  mL  +  (f^2reH  r)L.  Write  e  =  me \  +  (XlreHr)£2  with  £i,£2  £  L.  Since 
(e,  ref)  =  ( re ,  ref)  =  (e,  ef)  for  all  t  E  H,  we  have 

1  =  (e,  e)  =  m(e,  £\)  +  ^^(e,  re 2)  =  m(e,  £i  +  e2)  =  0  mod  m. 

r&H 

Thus,  m  —  1  as  desired.  Part  (iii)  follows  directly  from  (ii)  and  Definition  9.2.  □ 

This  enables  us  to  prove  the  following  result. 

Theorem  12.4.  Suppose  L  is  a  G-lattice.  Then: 


Approved  for  Public  Release;  Distribution  Unlimited. 

67 


(i)  if  L  is  invertible,  then  the  map 

{G -isomorphisms  Z (G)  — >  L}  — >  {short  vectors  of  L} 
that  sends  f  to  /( 1)  is  bijective; 

(ii)  if  e  E  L  is  short  and  L  is  invertible,  then  {ae  :  a  E  G}  generates  the  abelian 
group  L; 

(iii)  L  is  G-isomorphic  to  Z (G)  if  and  only  if  L  is  invertible  and  has  a  short 
vector; 

(iv)  if  e  E  L  is  short  and  L  is  invertible,  then  the  map  G  — >  {short  vectors  of  L} 
defined  by  a  H »  oe  is  bijective. 

Proof.  For  (i),  that  /( 1)  is  short  is  clear.  Injectivity  of  the  map  /  i— »  /( 1)  follows 
from  Z(G)-linearity  of  G'- isomorphisms.  For  surjectivity,  suppose  e  E  L  is  short. 
Proposition  12.3(h)  says  that  {cre}a£s  is  an  orthonormal  basis  for  L.  Parts  (ii)  and 
(i)  now  follow,  where  the  G-isomorphism  /  is  defined  by  x  H >  xe  for  all  x  E  Z(G). 
Part  (iii)  follows  from  (i)  and  Lemma  9.6.  Part  (iv)  is  trivial  for  Z (G),  and  L  is 
G-isomorphic  to  Z (G),  so  we  have  (iv).  □ 

13.  Tensor  products  of  G-lattices 

Recall  that  G  is  a  finite  abelian  group  with  an  element  u  of  order  2.  We  will  define 
the  tensor  product  of  invertible  G-lattices,  and  derive  some  properties. 

Definition  13.1.  Suppose  that  L  and  M  are  invertible  G-lattices.  Define  the  Z(G)- 
bilinear  map 

•  :  ( L  ®z(G)  M)  x  (L  ®z(G)  M)  — >  Z( G ),  ( a,b )  (->•  a  -b 

by  letting  {x  ®  v)  ■  (y®w)  =  (x-y)  (■ v  ■  w)  for  all  x,y  E  L  and  v,  w  E  M  and  extending 
Z(G)-bilinearly.  Take  L  0z(G>  M  to  be  L  ®z;g)  M,  with  x  ®  v  —  x  ®  v. 

Example  13.2.  Let  L  =  L(/1)tUl)  and  M  =  L(i2,W2)  where  I\,l2  are  fractional  Z(G)- 
ideals,  w i,W2  E  Q(G)*  are  such  that  ^(wf)  E  M>o  for  all  if  E  T,  and  J,;/i  =  Z {G)wi 
for  i  =  1,2.  Then  L  ®i{G)  M  may  be  identified  with  RG  via  Lemma  11.4,  and 
L  ®z{G)  M  with  I\I2,  and  the  dot  product  /i/2  x  Ji/2  — >  Z(G)  from  Definition  13.1 
becomes  a-b  —  ab/(w ita2)  as  in  Example  9.4.  This  is  precisely  the  lifted  inner  product 
of  the  G-lattice  L^Ill2  W1W2)  (which  is  invertible  by  Theorem  11.1).  We  thus  have 

(13.3)  -^(/i,wi)  ®z(G)  L(i2,W2)  =  L(Ill2,WlW2)- 

Theorem  13.4.  Let  L  and  M  be  invertible  G-lattices.  Then  L®Z(g)M  is  an  invertible 
G-lattice  with  inner  product  ( a,b )  =  t(a  ■  b),  where  the  dot  product  is  defined  in 
Definition  13.1  and  equals  the  lifted  inner  product  for  this  G-lattice. 

Proof.  By  Theorem  11.1  we  may  assume  that  L  =  L( iljWl)  and  M  =  T(/2)M,2)  where 
/i,/2  are  fractional  Z(G) -ideals,  Wi,w2  E  Q (G)*  are  such  that  if(wi)  E  M>o  for  all 
if  E  T,  and  1,1  t  =  Z (G)wi  for  i  —  1,2.  In  this  case,  we  already  checked  the  theorem 
in  Example  13.2.  □ 
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Proposition  13.5.  Suppose  that  L,  M,  and  N  are  invertible  G-lattices.  Then  we 
have  the  following  G -isomorphisms : 

(i)  L  <S>z(G)  M  =  M  ®z{G)  L, 

(ii)  (L  ®z{G)  M)  ®z(G)  N  —  L  ®z(G)  (M  (8>z(G)  AT), 

(iii)  L  (8>z(g>  T,(G)  =  L, 

(iv)  L  ®z{G)  L  =  Z(G). 

Proof.  By  Theorem  11.1  we  may  reduce  to  the  case  where  the  invertible  G-lattices 
are  of  the  form  L^wy  Then  (13.3)  immediately  gives  (i)  and  (ii).  For  (iii)  and 
(iv),  note  that  Z(G)  =  L( Z(G>,i),  and  if  L  =  L{I)W)  then  L  =  Lgw)  =  L{lw- = 

Remark  13.6.  One  can  extend  parts  (i),  (ii),  and  (iii)  of  Proposition  13.5  to  general 
G-lattices,  by  replacing  L  <E>z (G)  M  by  its  image  in  Lq  ®q(g)  Mq.  That  image  is  a 
G-lattice  with  lifted  inner  product  given  by  the  same  formula. 

14.  The  Witt-Picard  group 

As  before,  G  is  a  finite  abelian  group  of  order  2 n  equipped  with  an  element  u  of 
order  2. 

Definition  14.1.  We  define 

WPicz(G)  =  {[L\  :  L  is  an  invertible  G-lattice}, 

where  the  symbols  [L\  are  chosen  so  that  [. L }  =  [M\  if  and  only  if  L  and  M  are 
G-isomorphic. 

Theorem  14.2.  The  set  WPic z(g)  is  an  abelian  group,  with  group  operation  defined 
by  [L]  ■  [ M ]  =  [L  ®z(G)  M],  with  identity  element  \L(G)\,  and  with  [Lfi1  =  [L\. 

Proof.  This  follows  immediately  from  Theorem  13.4  and  Proposition  13.5.  □ 

Corollary  14.3.  Suppose  that  L  and  M  are  invertible  G-lattices.  Then  L  and  M  are 
G-isomorphic  if  and  only  if  L  ®z(G)  M  and  Z(G)  are  G-isomorphic. 

Proof.  This  follows  immediately  from  Theorem  14.2.  □ 

The  following  description  of  WPicz(G)  is  reminiscent  of  the  definition  of  class  groups 
in  algebraic  number  theory. 

Proposition  14.4.  Let  lz(G)  denote  the  group  of  invertible  fractional  Z(G) -ideals. 
Then  the  group  WPicz(G)  is  isomorphic  to  the  quotient  of  the  group 

{(/,  w)  G  Tz{g)  x  Q(G)*  :  II  =  Zi(G)w  and  G  M>o  for  all  G  T} 

by  its  subgroup  {(Z (G)v,vv)  :  v  G  Q(G)*}. 

Proof.  Define  the  map  by  {I,w)  i-G  [L^^].  Surjectivity  follows  from  Theorem  11.1, 
and  the  kernel  is  the  desired  subgroup  by  Theorem  8.5.  □ 
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Just  as  for  the  class  group,  we  have: 


Theorem  14.5.  The  group  WPic z(G)  is  finite. 

Proof.  If  L  is  an  invertible  G'-lattice  and  {bi, . . . ,  bn}  is  an  LLL-reduced  basis,  and  for 
a  G  G  we  have  a{bf)  =  J2j=iaij^j  with  a-J'*  G  Z,  then  \{bi,bj)\  <  2n~1  and  |a^J'|  < 
3”_1  for  all  i,  j,  and  a,  by  Proposition  3.4(iii)  and  (iv).  Thus  there  are  only  finitely 
many  possibilities  for  ( ( (6* ,  bj))fj=1,  (a^)ij=i,...,n;o-eG)-  If  L'  is  also  an  invertible  G'- 
lattice  with  LLL-reduced  basis  {b[, . . . ,  b'n},  and  if  we  have  ( bi,bj )  =  (&',&))  and 

aff  =  for  all  i,  j,  and  cr,  then  the  group  isomorphism  L  — >  L',  bi  i-G  if  is  an 
isomorphism  of  G-lattices.  The  finiteness  of  WPicz(G)  now  follows.  □ 

We  call  WPicz(G)  the  Witt-Picard  group  of  Z (G).  The  reason  for  the  nomencla¬ 
ture  lies  in  Theorem  11.1.  If  R  is  a  commutative  ring,  an  invertible  i?-module  is  an 
.R-module  L  for  which  there  exists  an  A- module  M  with  L  ®r  M  =  R.  The  Picard 
group  PicR  is  the  set  of  invertible  P-modules  up  to  isomorphism,  where  the  group 
operation  is  tensoring  over  R.  This  addresses  the  module  structure,  while  Witt  rings 
reflect  the  structure  as  a  unimodular  lattice. 

Algorithm  14.6.  Given  invertible  G-lattices  L  and  M  equipped  with  LLL-reduced 
bases,  the  algorithm  outputs  L  ®z{G)  M  with  an  LLL-reduced  basis  and  an  n  x  n  x  n 
array  of  integers  to  describe  the  multiplication  map  L  x  M  — »  L  <S>z(G)  M- 

(i)  Compute  the  tensor  product  L  ®z(G)  M  and  its  lattice  structure  and  multi¬ 
plication  map  L  x  M  — >  L  ®i(G)  M- 

(ii)  Compute  an  LLL-reduced  basis  for  L  <S>z{G)  M- 

One  way  to  perform  step  (i)  in  Algorithm  14.6  is  to  use  Proposition  10.1  (with 
m  =  2)  in  order  to  realize  L  and  M  as  LI  w  and  LpiWi,  and  take  the  products  IV 
and  ww'.  Another  (probably  less  efficient)  option  is  to  directly  use  the  definition  of 
tensor  product,  i.e.,  compute  L  ®z(G)  M  as 

(L  <g)z  M)/(yt  Z(abi  ®  b’j  -V®  abb)) 

i,j,v 

where  L®%M  =  ■  Z (bi®bb).  With  either  choice,  Algorithm  14.6  runs  in  polynomial 

time. 

Applying  Algorithm  14.6  gives  the  following  polynomial-time  algorithm. 

Algorithm  14.7.  Given  G  and  u  as  usual,  G-lattices  L  and  L1  equipped  with  LLL- 
reduced  bases,  a  positive  integer  m,  and  elements  d  G  L/mL  and  d!  G  L'/mL',  the 
algorithm  computes  L  ®z(G)  V'  and  the  element  d®  d!  G  (L  ®  L')/m(L  ®  L'). 

(i)  Apply  Algorithm  14.6  to  compute  L  ®z{G)  L' . 

(ii)  Lift  d  to  L  and  d'  to  L',  and  then  apply  the  map 

L  x  L'  — >  L  ®z(G)  V  — >  (L  ®  L’)/m(L  ®  If). 
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For  all  G,  u,  and  m  G  Z>o,  there  is  a  bound  on  the  runtime  of  the  previous 
algorithm  that  holds  uniformly  for  all  L,  L',  d,  and  d',  and  this  bound  is  polynomial 
in  the  length  of  the  data  specifying  G,  u,  and  m. 

Applying  basis  reduction,  and  iterating  Algorithm  14.7  using  an  addition  chain  for 
r,  gives  the  following  polynomial-time  algorithm.  It  replaces  the  polynomial  chains 
in  §7.4  of  the  Gentry-Szydlo  paper  [3]. 

Algorithm  14.8.  Given  G,  u,  a  G-lattice  L ,  positive  integers  m  and  r,  and  d  G 
L/mL ,  the  algorithm  computes  L®r  and  d®r  G  L®r / mL®r . 

Note  that  it  is  log(r)  and  not  r  that  enters  in  the  runtime.  This  means  that  very 
high  powers  of  lattices  can  be  computed  without  coefficient  blow-up,  thanks  to  the 
basis  reduction  that  takes  place  in  Algorithm  14.6(h).  The  fact  that  this  is  possible 
was  one  of  the  crucial  ideas  of  Gentry  and  Szydlo. 

15.  The  extended  tensor  algebra  A 

The  extended  tensor  algebra  A  is  a  single  algebraic  structure  that  comprises  all 
rings  and  lattices  that  our  main  algorithm  needs,  including  their  inner  products. 

Suppose  L  is  an  invertible  G-lattice.  Letting  L®°  =  Z (G)  and  letting  L®m  = 
L  ®z(g>  •  •  •  ®z(G>  L  (with  m  Us)  and  L0{~m)  —  L  =  L  ®Z(g)  •  •  •  <8>z(G}  L  for  all 
m  G  Z>0,  define  the  extended  tensor  algebra 

A  =  0L8i  =  . . .  ©  L®3  ©  L®2  ©  L  ©  Z(G)  ©  L  ©  L®2  ©  L®3  ©  . . . 

iez 

( “extended”  because  we  extend  the  usual  notion  to  include  negative  exponents  L0(“m)). 
Each  L®1  is  an  invertible  G-lattice,  and  represents  [L]\  For  simplicity,  we  denote  L®1 

by  Ll.  For  all  j  G  Z  we  have  =  LJ  =  L~K  Note  that  computing  the  G-lattice 
L~l  =  L  is  trivial;  just  compose  the  G-action  map  G  — »  GL(n,  Z)  with  the  map 
G  — y  G,  cr  i— >  a.  The  ring  structure  on  A  is  defined  as  the  ring  structure  on  the 
tensor  algebra,  supplemented  with  the  lifted  inner  product  •  of  Definition  9.2.  Let 
Aq  =  A  Q. 

Proposition  15.1.  (i)  The  extended  tensor  algebra  A  is  a  commutative  ring  con¬ 

taining  Z(G)  as  a  subring; 

(ii)  for  all  j  G  Z,  the  action  of  G  on  U  becomes  multiplication  in  A; 

(iii)  A  has  an  involution  igi  extending  both  the  involution  of  Z(G)  and  the  map 

LAI; 

(iv)  if  j  G  Z  ,  then  the  lifted  inner  product  ■  :  V  x  U  — >  Z(G)  becomes  multiplication 
in  A,  with  V  =  L’’  ; 

(v)  if  j  G  Z,  then  for  all  x,y  G  V  we  have  (x,y)  =  t(xy); 

(vi)  if  j  E  Z  and  e  G  Ld  is  short,  then  e  =  e~l  in  L~i  ; 

(vii)  if  7  is  as  in  Lemma  11.5,  then  7  G  Aq,  one  has  Lq  =  Q (G)y*  for  all  i  G  Z, 
and  Aq  may  be  identified  with  the  Laurent  polynomial  ring  Q(G)[7,7-1]. 
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(viii)  if  e  G  L  is  short,  then  A  =  Z (G)[e,  e-1]. 

Proof.  The  proof  is  straightforward.  It  is  best  to  begin  with  (vii).  □ 

All  computations  in  A  and  in  A/mA  =  Q)ieZLl /mLl  with  m  G  Z>o  that  occur  in 
our  algorithms  are  done  with  homogeneous  elements  only,  where  the  set  of  homoge¬ 
neous  elements  of  A  is  (JtgZ  L*. 

If  A  is  a  commutative  ring,  let  p(A)  denote  the  subgroup  of  A*  consisting  of  the 
roots  of  unity,  i.e.,  the  elements  of  finite  order.  The  following  result  will  allow  us  to 
construct  a  polynomial-time  algorithm  to  find  k-th  roots  of  short  vectors,  when  they 
exist. 

Proposition  15.2.  Suppose  L  is  an  invertible  G-lattice,  r  G  Z>0,  and  v  is  a  short 
vector  in  the  G-lattice  Lr .  Let  A  =  A/{y  —  1).  Identifying  L1  C  A  with  its 
image  in  A,  we  can  view  A  =  0[Aq  L*  as  a  Z/rZ- graded  ring.  Then: 

(i)  G  C  p(A)  c  u;  '  L\ 

(ii)  {e  G  L  :  e  •  e  =  1}  =  /i(A)  D  L, 

(iii)  |/x(A)  |  is  divisible  by  2 n  and  divides  2 nr, 

(iv)  the  degree  map  p(A)  — »  Z/rZ  that  takes  e  G  p(A)  to  j  such  that  e  G  LJ  is 
surjective  if  and  only  if  /i(A)  ft  L  y  0,  and 

(v)  there  exists  e  G  L  for  which  e  ■  e  —  1  if  and  only  if  ff/a(A)  =  2 nr. 

Proof.  Since  the  ideal  {p  —1)  =  ( v —  1)  =  (1  —  u)  =  (u  —  1),  the  map  ogo  induces 
an  involution  on  A. 

Next  we  show  that  the  natural  map  00-  L®  — >  A/(y  —  1)  =  A  is  bijective.  For 
surjectivity,  by  Proposition  15.1(vi)  we  have  vL J'  =  LJ+r  for  all  j  G  Z,  and  thus 
LJ+r  and  ZA  have  the  same  image  under  the  natural  map  A  — >  A/{y  —  1)  =  A.  For 
injectivity,  suppose  0^a  =  J2i=h  a*  G  A  with  h  <  j,  with  all  a*  G  ZA,  and  with  ah  ^  0 
and  aj  y  0.  Then  (v  —  l)a  =  Y^i=h  ^  whh  h  £  A*  where  bh  =  —ah  ^  0  and  Zj+r  = 
va.j  ^  0,  and  therefore  (u  —  1  )a  £  0-Aq  LL  Hence  we  have  (v  —  1)A  D  0-Aq  Ll  =  {0}. 

Recall  that  T  is  the  set  of  C- algebra  homomorphisms  from  C (G)  to  C.  Letting 
Aq  =  A  ®z  Q,  we  have  Aq  =  Aq/ (v  —  1)Aq  and  Aq  =  0igZ  Lq.  Since  L  is  invertible, 
by  Lemma  11.5  there  exists  7  G  Lq  such  that  Lq  =  Q (G)  ■  7  with  z  =  77  G 
Q (G)*  and  if(z)  G  M>0  for  all  if  G  \EL  By  Proposition  15. l(vii)  we  have  7  G  Lq, 
and  Lq  =  Q(G)  •  y-7  for  all  j  G  Z,  and  Aq  =  0ieZL^  =  Q(G)[7,7-1]-  Thus, 
there  exists  <5  G  Q (G)*  such  that  v  =  S 7L  The  set  of  ring  homomorphisms  from 
A  to  C  can  be  identihed  with  the  set  of  ring  homomorphisms  from  Aq  to  C,  which 
is  {ring  homomorphisms  p  :  Aq  — y  C  :  <p(v)  =  1}.  The  latter  set  can  be  identified 
with  (0,C)  :  if  G  H/,C  G  C *,if(5)(r  =  1}  via  the  map  tp  i-G  0|q(g),  <p(t))  and 
its  inverse  (if,  0  ^  (S*  a*7*  ^  Yhi'll)(0"i)C) ,  and  has  size  nr  =  diniQ(AQ).  Since 
1  =  vv  =  (6Y)(^Y)  =  dSzr,  we  have  if(5)if(5)if(z)r  =  1  =  if(5)if(5)((()r,  so 
if(z)r  =  (CC)r.  Since  if(z)  G  M>0,  we  have  if(z)  =  ((.  Since  7  =  z y-1,  we  now  have 
tp(  7)  =  (p( z )C_1  =  C  =  t(t)-  By  Lemma  7.3(i)  we  have  if  (a)  =  if  (a)  for  all  a  G  Q  (G). 
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Since  Aq  is  generated  as  a  ring  by  Q (G)  and  7,  it  follows  that  <p(a)  =  <p(a)  for  all 
a  G  Aq  and  all  ring  homomorphisms  ip  :  Aq  — >  C. 

Applying  7.1  with  to  the  commutative  Q-algebra  Aq  shows  that  P|  ker  ip  =  0. 

Let  E  —  {e  G  A  :  ee  —  1},  a  subgroup  of  A*. 

If  e  G  /x(A),  then  tp(e)  is  a  root  of  unity  in  C  for  all  ring  homomorphisms  (p  :  A  — )■  C, 
so  1  =  <p(e)<p(e)  =  <p(e)(p(e)  =  p>[ee).  Since  Q^ker^  =  0,  we  have  ee  =  1.  Thus, 
H{A)  C  E. 

Conversely,  suppose  e  G  E.  Write  e  =  ^21=0  £i  with  e*  G  L\  so  e  =  ^[=0  G 
with  £t  G  L~l  =  Lr~l  in  A.  We  have  1  =  ee  =  £*£*,  the  degree  0  piece  of 

ee.  Applying  the  map  t  of  Definition  6.2  and  using  (9.3)  we  have  1  =  Y2iZo(£iGi)  ■ 
It  follows  that  there  exists  j  such  that  ( £j,£j )  =  1,  and  e*  =  0  if  i  ^  3 ■  Thus, 
E  C  U[ko{e  G  Ll  :  (e,  e)  =  1},  giving  (i).  By  Proposition  12.3 (iii)  and  Example  12.2 
we  have  E  D  Z (G)  =  G ,  so  n(Z(G))  =  G. 

The  degree  map  from  E  to  Z/rZ  that  takes  e  G  E  to  j  such  that  e  G  U  is  a  group 
homomorphism  with  kernel  E  D  Z(G)  =  G.  Therefore,  J^E  divides  ^G^(Z/rZ)  = 
2 nr.  Thus,  E  C  p(A)  C  E,  so  E  =  p(A)  and  we  have  (ii)  and  (iii).  The  degree  map 
is  surjective  if  and  only  if  #/j,(A)  =  2 nr,  and  if  and  only  if  1  is  in  the  image,  i.e.,  if 
and  only  if  /i(A)  fl  L  ^  0-  This  gives  (iv).  Part  (v)  now  follows  from  (ii).  □ 

Remark  15.3.  In  the  proof  of  Proposition  15.2  we  showed  that  /i(Z(G))  =  G. 

16.  Short  vectors 

Recall  that  G  is  a  finite  abelian  group  of  order  2 n  equipped  with  an  element  u  of 
order  2.  The  main  result  of  this  section  is  Algorithm  16.4. 

Definition  16.1.  The  exponent  of  a  finite  group  H  is  the  least  positive  integer  k 
such  that  crk  =  1  for  all  0  G  H . 

The  exponent  of  a  finite  group  H  divides  and  has  the  same  prime  factors  as 

Definition  16.2.  Let  k  denote  the  exponent  of  G. 

By  Theorem  12.4,  the  G- isomorphisms  Z (G)  A  L  for  a  G-lattice  L  are  in  one-to- 
one  correspondence  with  the  short  vectors  of  L ,  and  if  a  short  e  G  L  exists,  then  the 
short  vectors  of  L  are  exactly  the  2 n  vectors  {ae  :  cr  G  G}.  With  k  the  exponent  of 
G,  we  have  (ae)k  =  akek  =  ek  in  A.  Hence  for  invertible  L,  all  short  vectors  in  L 
have  the  same  k-th  power  ek  G  A.  At  least  philosophically,  it  is  easier  to  find  things 
that  are  uniquely  determined.  We  look  for  ek  first,  and  then  recover  e  from  it. 

The  n  of  [3]  is  an  odd  prime,  so  the  group  exponent  k  =  2 n,  and  Z (G)  embeds 
in  Q(Cn)  x  Q,  where  (n  G  C*  is  a  primitive  n-th  root  of  unity.  Since  the  latter  is  a 
product  of  only  two  number  fields,  the  number  of  zeros  of  X2n  —  v2n  is  at  most  (2n)2, 
and  the  Gentry-Szydlo  method  for  finding  v  from  v2n  is  sufficiently  efficient.  If  one 
wants  to  generalize  [3]  to  the  case  where  n  is  not  prime,  then  the  smallest  t  such  that 
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Z (G)  embeds  in  Fi  x  . . .  x  Ft  with  number  fields  Ft  can  be  as  large  as  n.  Given  v, 
the  number  of  zeros  of  Xk  —  v  could  be  as  large  as  kl .  Finding  e  such  that  v  =  ek 
then  requires  a  more  efficient  algorithm,  which  we  attain  with  Algorithm  16.4  below. 

An  order  is  a  commutative  ring  A  whose  additive  group  is  isomorphic  to  Zn  for 
some  n  G  Z>o-  We  specify  an  order  by  saying  how  to  multiply  any  two  vectors  in  a 
given  basis.  In  [9]  we  prove  the  following  result,  and  give  the  associated  algorithm. 

Proposition  16.3.  There  is  a  deterministic  polynomial-time  algorithm  that,  given 
an  order  A,  determines  a  set  of  generators  for  the  group  p(A)  of  roots  of  unity  in  A*. 

Algorithm  16.4.  Given  G,  u,  an  invertible  G-lattice  L ,  and  v  G  Lk  given  as  a  sum 
of  products  of  k  factors  from  L,  with  k  the  exponent  of  G,  the  algorithm  determines 
whether  there  exists  e  G  L  such  that  v  =  ek  and  e  ■  e  —  1,  and  if  so,  finds  one. 

(i)  Compute  the  order  A  =  A/(i/  —  1). 

(ii)  Check  whether  vv  =  1.  If  vv  ^  1,  output  “no  e  exists”.  If  vv  =  1,  apply 
Proposition  16.3  to  compute  generators  for  p(A)  with  A  =  A/(is  —  1). 

(iii)  Apply  the  degree  map  p(A)  — >  Z//cZ  from  Proposition  15.2(iv)  to  the  gener¬ 
ators,  and  check  whether  the  images  generate  Z/fcZ.  If  they  do  not,  output 
“no  e  exists”;  if  they  do,  compute  an  element  e  G  /i(A)  whose  image  under 
the  degree  map  is  1. 

(iv)  Check  whether  v  =  ek .  If  not,  output  “no  e  exists”.  If  so,  output  e. 

In  step  (ii),  one  could  equivalently  check  whether  (z/,  v)  =  1. 

Proposition  16.5.  Algorithm  16.  f  is  a  deterministic  polynomial-time  algorithm  that, 
given  G,  u,  an  invertible  G-lattice  L,  and  v  G  Lk,  with  k  the  exponent  of  G,  deter¬ 
mines  whether  there  exists  e  G  L  such  that  v  =  ek  and  e  ■  e  =  1,  mid  if  so,  finds 
one. 

Proof.  We  apply  Proposition  15.2  with  r  =  k.  Suppose  Step  (iii)  produces  e  G  p(A) 
of  degree  1.  Then  e  G  p(A)  fl  L  =  {e  G  L  :  e  ■  e  =  1}  by  Proposition  15.2(h).  By 
Proposition  12.3(iii),  this  set  is  the  set  of  short  vectors  in  L.  By  Theorem  12.4(iv),  if  a 
short  £  G  L  exists,  then  the  short  vectors  in  L  are  exactly  the  2 n  vectors  {ae  :  cr  G  G}, 
which  all  have  the  same  /c-th  power  since  k  is  the  exponent  of  G.  By  this  and 
Proposition  15.2(iv),  if  any  step  fails  then  the  desired  e  does  not  exist.  The  algorithm 
runs  in  polynomial  time  since  ffp{A)  =  2 nk  <  (2 n)2  by  Proposition  15.2(v).  □ 

17.  Finding  auxiliary  prime  powers 

In  this  section  we  present  an  algorithm  to  find  auxiliary  prime  powers  l  and  m. 
To  bound  the  runtime,  we  use  Heath- Brown’s  version  of  Linnik’s  theorem  in  analytic 
number  theory. 

Recall  that  G  is  a  finite  abelian  group  equipped  with  an  element  u  of  order  2,  and 
k  is  the  exponent  of  G. 

Definition  17.1.  For  m  G  Z>o  let  k(m )  denote  the  exponent  of  the  unit  group 
(Z  (G)/(m)y. 
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Lemma  17.2.  Suppose  p  is  a  prime  number  and  j  E  Z>0.  Then: 

(i)  (Z/^'Z )*  C  (Z (G) /&))*; 

(ii)  if  p  is  odd,  then  the  exponent  of  (Z/p^'Z)*  is  (p  —  l)pi  1; 

(iii)  if  p  =  1  mod  k,  then  k{jp)  —  (p  —  l)pp~l . 

Proof.  Parts  (i)  and  (ii)  are  easy.  For  (iii),  we  proceed  by  induction  on  j.  If  p  =  1 
mod  k ,  then  p  is  odd.  We  first  take  j  —  1.  The  map  x  K >  xp  is  a  ring  endomorphism 
of  Z (G)/(p)  and  is  the  identity  on  G,  since  the  exponent  k  divides  p  —  1.  Since  G 
generates  the  ring,  the  map  is  the  identity  and  therefore  xp  =  x  for  all  x  E  Z (G)/(p) 
and  xp~l  =  1  for  all  x  E  (Z (G)/(p))*. 

Now  suppose  j  >  1.  Suppose  x  E  T>{G)  maps  to  a  unit  in  Z (G)/{jpf).  By  the 
induction  hypothesis,  "  =  1  mod  pJ~] .  Thus,  "  =  1  +  pi~lv  for  some 

v  E  Z (G).  Since  (j  —  1  )p  >  j  we  have 

x(p-i)p’  —  (1  +  p’~1v)p  =  1  +  (^jp’^v  +  •  •  •  +  =  i  mod  p7. 

Thus,  ^(p7)  divides  (p  —  l)p-7”1  for  all  j  E  Z>o-  Part  (iii)  now  follows  from  (i)  and 
(ii).  □ 

Theorem  17.3  (Heath-Brown,  Theorem  6  of  [4]).  There  is  an  effective  constant  c  >  0 
such  that  if  a,t  E  Z>0  and  gcd (a,t)  =  1,  then  the  smallest  prime  p  such  that  p  =  a 
mod  t  is  at  most  ct 5"5 . 

Algorithm  17.4.  Given  positive  integers  n  and  k  with  k  even,  the  algorithm  produces 
prime  powers  i  =  pr  and  m  =  qs  with  i,  m  >  2n/2  +  1  such  that  p  =  q  =  1  mod  k  and 
and  gcd (<p(£),  <p(m))  =  k,  where  <p  is  Euler’s  phi  function. 

(i)  Try  p  —  k  +  1,2k  +  1,3k  +  1, . . .  until  the  least  prime  p  =  1  mod  k  is  found. 

(ii)  Find  the  smallest  r  E  Z>0  such  that  pr  >  2”/2  +  1. 

(iii)  Try  q  =  p  +  k,p  +  2k,. . .  until  the  least  prime  q  =  1  mod  k  such  that 
gcd((p  —  l)p,  q  —  1)  =  k  is  found. 

(iv)  Find  the  smallest  s  E  Z>0  such  that  qs  >  2”/2  +  1. 

(v)  Let  i  =  pr  and  m  =  qs . 

Proposition  17.5.  Algorithm  17. f  runs  in  time  (n  +  k)°^. 

Proof.  Algorithm  17.4  takes  as  input  n ,  k  E  Z>0  with  k  even,  and  computes  positive 
integers  r  and  s  and  primes  p  and  q  such  that: 

•  p  =  q  =  1  mod  k, 

•  gcd((p  —  l)pr_1,  (q  —  1)<?S-1)  =  k, 

•  pr  >  2n//2  +  1,  and 

•  qs  >  2n>2  +  1. 

We  next  show  that  Algorithm  17.4  terminates,  with  correct  output,  in  the  claimed 
time.  By  Theorem  17.3  above,  the  prime  p  found  by  Algorithm  17.4  satisfies  p  <  ck 5'5 
with  an  effective  constant  c  >  0.  Primality  testing  can  be  done  by  trial  division.  If 
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p  —  1  =  k\k2  with  every  prime  divisor  of  k\  also  dividing  k  and  with  gcd (k2,  k )  =  1, 
then  to  have  gcd((p  —  1  )p,  q  —  1)  =  k  it  suffices  to  have  q  =  2  mod  p  and  q  =  1  +  k 
mod  h  and  q  =  2  mod  k2.  This  gives  a  congruence  q  =  a  mod  p(p  —  1)  for  some 
a  with  gcd (a,p(p  —  1))  =  1.  Theorem  17.3  implies  that  Algorithm  17.4  produces  a 
prime  q  with  the  desired  properties  and  satisfying  q  <  c(p2)5'5  <  c(c/c5"5)11  =  c12/c60"5. 
The  upper  bounds  on  p  and  q  imply  that  Algorithm  17.4  runs  in  time  (n  +  /c)°(1k  □ 

Remark  17.6.  In  practice,  Algorithm  17.4  is  much  faster  than  implied  by  the  proof 
of  Proposition  17.5;  Theorem  17.3  is  unnecessarily  pessimistic,  and  in  practice  one 
does  not  need  to  find  a  prime  q  that  is  congruent  to  2  mod  pk2  and  to  1  +  k  mod  k\ . 
In  work  in  progress,  we  get  better  bounds  for  the  runtime  of  our  main  algorithm, 
and  avoid  using  the  theorem  of  Heath-Brown  or  Algorithm  17.4,  by  generalizing  our 
theory  to  the  setting  of  “CM  orders” . 

Algorithm  17.4  immediately  yields  the  following  algorithm. 

Algorithm  17.7.  Given  G  and  u.  the  algorithm  produces  prime  powers  £  and  m 
such  that  £,  m  >  2”/2  +  1  and  gcd (k(£),  k(m ))  =  k,  where  k  is  the  exponent  of  G,  and 
produces  the  values  of  k(£)  and  k(m). 

(i)  Compute  n  and  k. 

(ii)  Run  Algorithm  17.4  to  compute  prime  powers  i  =  pr  and  m  =  qs  with 
£,  m  >  2”/2  +  1  such  that  p  =  q  =  1  mod  k  and  gcd(<^(£),  (p(m))  =  k. 

(iii)  Compute  k{£)  —  (p  —  1  )pr~l  and  k(m)  —  (q  —  l)^-1. 

By  Lemma  17.2 (iii) ,  Algorithm  17.7  produces  the  desired  output.  It  follows  from 
Proposition  17.5  that  Algorithm  17.7  runs  in  polynomial  time  (note  that  the  input 
in  Algorithm  17.7  includes  the  group  law  on  G). 

Remark  17.8.  Our  prime  powers  i  and  m  play  the  roles  that  in  the  Gentry-Szydlo 
paper  [3]  were  played  by  auxiliary  prime  numbers  P,P'  >  2^n+1^2  such  that  gcd(P  — 
1,P'  —  1)  =  2 n.  Our  k(£)  and  k(m )  replace  their  P  —  1  and  P’  —  1.  While  the 
Gentry-Szydlo  primes  P  and  P'  are  found  with  at  best  a  probabilistic  algorithm,  we 
can  find  i  and  m  in  polynomial  time  with  a  deterministic  algorithm.  (Further,  the 
ring  elements  they  work  with  were  required  to  not  be  zero  divisors  modulo  P,  P'  and 
other  small  auxiliary  primes;  we  require  no  analogous  condition  on  l  and  m,  since  by 
Definition  9.5,  when  L  is  invertible  then  for  all  m,  the  (Z /mZ)  (G')-module  L/mL  is 
free  of  rank  1.) 

The  next  result  will  provide  the  proof  of  correctness  for  a  key  step  in  our  main 
algorithm. 

Lemma  17.9.  Suppose  e  is  a  short  vector  in  an  invertible  G-lattice  L,  suppose  £,  m  G 
Z>3,  and  suppose  e^m  E  L  is  such  that  eem+£mL  generates  L/ £mL  as  a  (Z/ £mL){G)- 
module.  Then  ek(jn?>  is  the  unique  short  vector  in  the  coset  e^™'1  +mLk(m\  and  there  is 
a  unique  s  E  (( Z/£Z)(G ))*  such  that  e^™')  =  sek^  mod  £Lk^m\  If  further  b  E  Z>0 
and  bk(m )  =  k  mod  k(£),  then  ek  is  the  unique  short  vector  in  sbekm  +  £Lk . 


Approved  for  Public  Release;  Distribution  Unlimited. 

76 


Proof.  Since  e  is  short,  we  have  Z (G)e  =  L.  Thus  for  all  r  £  Z>o,  the  coset  e  +  rL 
generates  L/rL  as  a  Z(G)/(r)-module.  We  also  have  that  eim  +  mL  generates  L/mL 
as  a  Z(G)/(m)-module,  and  e^m  +  £L  generates  L/£L  as  a  Z(G)/(f)-module.  Thus, 
there  exist  ym  £  (Z (G)/(m))*  and  yi  £  (Z(G) /{£))*  such  that  eim  =  yme  mod  mL 
and  etm  =  yte  mod  £L.  It  follows  that  =  ek (m')  mod  mLk (m')  and  =  ek ^ 
mod  £Lk^\ 

We  have  (Z f£Z)(G)e  =  L/£L  =  ( Z/£Z){G)etm .  Thus 

(Z/£Z )(G)  •  ek{m)  =  Lk(m)/dLk(m)  =  (7j/£7j){G)  •  e^ra), 


so 

(17.10)  efc(m)  =  se^m)  mod  PLfc(m) 

for  a  unique  s  £  ((Z/£Z)(G))*.  We  have  e  •  e  =  1,  so  e  €  A*  and  e  +  £A  e  (A/£A)*. 
By  (17.10)  we  have  (e  +  £A)fc(m)  =  s(e^m  +  dA)k ^  in  A/dA  =  ®igZ  U/dL1.  It  follows 
that  eim  +  £A  £  (A/ £  A)* . 

If  ak(£)  +  bk(m )  =  k  with  a  £  Z,  then  efc  =  (efcM)a(efc(m))b  =  (ek^)a(sek^)b  = 
s6e*m  mod  £A,  so  sbekm  +  £Lk  contains  the  short  vector  ek  of  Lk.  In  both  cases, 
uniqueness  follows  from  Proposition  4.1.  □ 

18.  The  main  algorithm 

We  present  the  main  algorithm.  That  it  is  correct  and  runs  in  polynomial  time 
follows  from  the  results  above;  see  the  discussion  after  the  algorithm.  As  before,  k  is 
the  exponent  of  the  group  G  and  k (j )  is  the  exponent  of  (Z (G)/(j))*  if  j  £  Z>0. 

Algorithm  18.1.  Given  G,  u,  and  a  G-lattice  L,  the  algorithm  determines  whether 
there  exists  a  G-isomorphism  Z(G)  L ,  and  if  so,  computes  one. 

(i)  Apply  Algorithm  10.2  to  check  whether  L  is  invertible.  If  it  is  not,  terminate 
with  “no”. 

(ii)  Apply  Algorithm  17.7  to  produce  prime  powers  d  and  m  as  well  as  k(£)  and 
k(m). 

(iii)  Use  Proposition  10.1  to  compute  e^m. 

(iv)  Use  Algorithm  14.8  to  compute  the  pair  (Lk(rn'>,  +  £mLk ^).  Use  Algo¬ 
rithm  4.2  to  decide  whether  the  coset  contains  a  short  vector 

vm  £  Lk(m\  and  if  so,  compute  it.  Terminate  with  “no”  if  none  exists. 

(v)  Compute  s  £  {JLjdTL^ifG)  such  that  vm  =  se\^  +  dLk('m')  in  Lk(jn^>  /  £Lk(jn\ 

(vi)  Use  the  extended  Euclidean  algorithm  to  End  b  £  Z>0  such  that  bk(m )  =  k 
mod  k(£). 

(vii)  Use  Algorithm  14.6  to  compute  the  lattices  L2,L3,...,Lk  as  well  as  data 
for  the  multiplication  maps  L  x  Ll  — )■  Ll+l  (for  1  <  %  <  k).  Also  compute 
4n  +  e  Lk/£Lk. 
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(viii)  Compute  sb  G  (Z/£Z )(G),  and  compute  sbekm  G  Lk/£Lk.  Use  Algorithm  4.2 
to  decide  whether  the  coset  sbekm  +  £Lk  contains  a  short  vector  v  G  Lk,  and 
if  so,  compute  it.  Terminate  with  “no”  if  none  exists. 

(ix)  Apply  Algorithm  16.4  to  find  e  G  f  such  that  v  =  ek  and  e  •  e  —  1  (or  to 
prove  there  is  no  G- isomorphism) ,  and  let  the  map  Z (G)  A-  L  send  x  to  xe. 

Remark  18.2.  Note  that  we  do  not  use  Algorithm  14.8  to  compute  Lk.  This  is 
because  Algorithm  16.4  requires  more  information  about  Lk  than  is  provided  by 
Algorithm  14.8,  namely,  the  information  needed  for  the  construction  of  the  order  A. 

Proposition  18.3.  Algorithm  18.1  is  a  deterministic  polynomial-time  algorithm  that, 
given  a  finite  abelian  group  G,  an  element  u  G  G  of  order  2,  and  a  G-lattice  L,  outputs 
a  G-isomorphism  Z (G)  L  or  a  proof  that  none  exists. 

Proof.  By  Theorem  12.4(iii),  the  G-lattice  L  is  G-isomorphic  to  Z(G)  if  and  only  if 
L  is  invertible  and  has  a  short  vector.  Algorithm  10.2  checks  whether  L  is  invertible. 
If  it  is,  we  look  for  an  e  G  L  such  that  ee  =  1. 

Algorithm  17.7  produces  prime  powers  i,  m  >  2”/2  +  1  such  that  gcd(/c(f),  k(m ))  = 
k.  The  algorithm  in  Proposition  10.1  produces  e^m,  which  then  serves  as  both  em  and 
e£.  Algorithm  4.2  finds  a  short  vector  um  (if  it  exists)  in  the  coset  e^m  +  rnLkl'm'!  G 
ifii™) ! mLk(m\  If  e  G  L  is  short,  then  vm  =  e fc(m)  by  Lemma  17.9.  Algorithm  4.2 
produces  a  short  v  in  the  coset  sbekm  +  £Lk  or  proves  that  none  exists.  By  Lemma 
17.9,  if  e  G  L  is  short  then  v  =  ek .  Algorithm  16.4  then  finds  a  short  vector  e  G  I, 
or  proves  that  none  exists.  The  map  x  ^  xe  gives  the  desired  G-isomorphism  from 
Z(G)  to  L.  □ 

Remark  18.4.  There  is  a  version  of  the  algorithm  in  which  checking  invertibility 
in  step  (i)  is  skipped.  In  this  case,  the  algorithm  may  misbehave  at  other  points, 
indicating  that  L  is  not  invertible  and  thus  not  G-isomorphic  to  Z(G)  by  Lemma 
9.6.  At  the  end  one  would  check  whether  (e,  e)  =  1  and  (e,  ere)  =  0  for  all  a  l,u. 
If  so,  then  {ae}a£s  is  an  orthonormal  basis  for  L,  and  x  H »  xe  gives  the  desired 
isomorphism;  if  not,  no  such  isomorphism  exists. 

Thanks  to  Corollary  14.3,  we  can  convert  Algorithm  18.1  to  an  algorithm  to  test 
whether  two  G-lattices  are  G-isomorphic  (and  produce  an  isomorphism). 

Algorithm  18.5.  Given  G,  u,  and  two  invertible  G-lattices  L  and  M ,  the  algorithm 
determines  whether  there  is  a  G-isomorphism  M  — >  L,  and  if  so,  computes  one. 

(i)  Compute  L  <S>z(G}  M. 

(ii)  Apply  Algorithm  18.1  to  find  a  G-isomorphism  Z(G)  — >  L  <S>z(g>  M,  or  a 
proof  that  none  exists.  In  the  latter  case,  terminate  with  “no” . 

(iii)  Using  this  map  and  the  map  M  ®z(G)  M  — >  Z(G),  y  ®  x  (->•  y  ■  x,  output  the 
composition  of  the  (natural)  maps 

M  — >  Z(G)  ®z(G)  M  L  ®z[G)  M  ®z(G)  M  — >  L  ®z(g)  Z(G)  — >  L. 
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List  of  Symbols,  Abbreviations,  and  Acronyms 


FHE  Fully  Homomorphic  Encryption 

LLL  Lenstra-Lenstra-Lovasz  lattice  basis  reduction  algorithm 
Z  the  integers 

Z[A]  the  set  of  polynomials  in  one  variable  X  with  integer  coefficients 
\G\  the  number  of  elements  in  a  set  G 
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